US-based security company SecurityFocus noticed a rapidly growing network of controlled agents known as bots last week, which reportedly increased by 600 percent in the space of six hours. The bots were being used to launch DDoS attacks on systems wrongly configured with Microsoft SQL Server software.
Mark Read, security analyst at MIS Corporate Defence Solutions, said, "When you install SQL, at no point does it ask you for an administrator username and password -- this is installed as standard, and once it is up and running the password still remains blank." He added, "If the SQL server is accessible from the Internet, people can log in using a blank password and have full access to the database, as well as the underlying operating system."
SecurityFocus said the hybrid tool has been named "Voyager Alpha Force", and is human controlled through Internet Relay Chat (IRC) communications. The bots are set up on a password-protected IRC channel, where they monitor any conversations taking place. A DDoS attack is launched when an attacker logs onto the channel and types in a command, which is then recognised and acted upon by the bots. Affected servers will then scan netblocks for other vulnerable SQL servers on port 1433, and will try to log on and run the malicious code.
Voyager Alpha Force is unlikely to cause the same scale of damage as inflicted by Code Red and Nimda, because SQL Server is not as widely used as Microsoft IIS Server, which those worms used to propogate. "The issue with the IIS exploit that affected Code Red is that it was an unpatched service and went through a normal HTTP Web port, allowing normal Internet traffic through," said Read. "The SQL vulnerability is not as bad, as providing that it is correctly configured, it shouldn't allow traffic through to the server directly."
SecurityFocus is recommending that companies running SQL Server check that their account does not have a blank password, and use a firewall to block port 1433.
