A complete revision history can be found at the end of this file.
The CERT/CC has received reports of systems being compromised
through the automated exploitation of null or weak default sa
passwords in Microsoft SQL Server and Microsoft Data Engine. This
activity is accompanied by high volumes of scanning, and appears to be
related to recently discovered self-propagating malicious code,
referred to by various sources as Spida, SQLsnake, and Digispid. Reports received by the CERT/CC indicate that the Spida worm scans
for systems listening on port 1433/tcp. Once connected, it attempts to use the xp_cmdshell
utility to enable and set a password for the guest user.
If successful, the worm then
Systems Affected
Overview
I. Description
Once the local copy is executing on the victim system, the worm begins scanning for other systems to infect. It also attempts to send a copy of the local password (SAM) database, network configuration information, and other SQL server configuration information to a fixed email address (ixtld@postone.com) via email.
The attack used by the Spida worm is similar to that used by the Kaiten malicious code described in IN-2001-13. Additional information on null default sa passwords in Microsoft SQL Server can be found in VU#635463.
The scanning activity of the Spida worm may cause denial-of-service conditions on compromised systems, and it has been reported to cause high traffic volumes even on networks with no compromised hosts.
Information about the victim system's configuration and accounts may be compromised by the email the worm attempts to send.
By leveraging a default null password, an attacker may execute arbitrary commands on the system in the security context in which the Microsoft SQL Server services are running. While site-specific configurations may vary, the SQL Server is typically run with system-level privileges.
During the course of the Spida worm's execution, a number of files are created on the victim system. These include
Scanning for other systems on port 1433/tcp or attempts to send email to ixtld@postone.com may also indicate a compromised system.
If you believe a system under your administrative control may have been compromised, please refer to
Following best practices, passwords should never be left with a null or easily guessed value. Ensure that a password has been assigned to the sa account on Microsoft SQL Servers under your control.
Note that when installing Microsoft SQL 2000 Server, the application prompts for an sa password. If a null password is entered, a warning will be displayed, but the application will permit a null password to be used.
Instructions to change the SQL Server password are located at
Instructions to change the MSDE password can be found at
Additional information on securing Microsoft SQL Server can be found at
Filtering packets destined for other services that are not explicitly required can also prevent intruders from connecting to backdoors on compromised systems.
As mentioned in the Description section above, the worm attempts to send configuration information and the local password database to ixtld@postone.com. Blocking email to this address can reduce the risk of confidential information being exposed by the Spida worm. However, as with the egress filtering recommendation above, this only blocks systems that are already infected, so it is not sufficient to block the email without taking other precautionary steps as described above.
Microsoft Corporation has released Microsoft Security Bulletin MS02-020, which announces the availability of a cumulative patch to address a variety of problems. While this patch does not address null sa passwords, it does fix a number of serious security issues. We strongly encourage you to read this bulletin and take the appropriate corrective measures. MS02-020 is available at
The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#38873]".
CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.
We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from
If you prefer to use DES, please call the CERT hotline for more information.
CERT publications and other security information are available from our web site
To subscribe to the CERT mailing list for advisories and bulletins, send email to
majordomo@cert.org. Please include in the body of your
message
subscribe cert-advisory
* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.
NO WARRANTY
Any material furnished by Carnegie Mellon University and the
Software Engineering Institute is furnished on an "as is"
basis. Carnegie Mellon University makes no warranties of any kind,
either expressed or implied as to any matter including, but not
limited to, warranty of fitness for a particular purpose or
merchantability, exclusivity or results obtained from use of the
material. Carnegie Mellon University does not make any warranty of any
kind with respect to freedom from patent, trademark, or copyright
infringement.
Copyright 2002 Carnegie Mellon University.
Revision History
May 22, 2002: Initial release May 23, 2002: Updated systems affected, added link for MSDE password change to Solutions