Worm Targets Microsoft SQL Servers Lacking Password
Tue May 21, 9:13 PM ET

SAN FRANCISCO (Reuters) - Owners of older versions of Microsoft Corp. SQL Server computers were warned on Tuesday to make sure they change the default password settings or risk being infected by what is believed to be an Internet worm.

Dubbed "SQLsnake," the worm looks for computers running SQL Server 7 Web database software, which shipped without administrator passwords.

If it finds no administrator password, the worm creates its own administrator account and password and e-mails a list of user name and passwords on the system to a free Web-based e-mail address, said Elias Levy, chief technology officer at security services provider SecurityFocus.

"We've seen as many as 1,400 to 1,600 infected machines," and about 100 new infections per hour, Levy said. "Obviously, someone is using this to collect accounts that they can then use to log back into the system."

The top two sources of the attacks are the United States and Korea, but that doesn't necessarily mean the worm originated in either of those countries, he said.

"Although the worm is not destructive to the infected host, it may generate a damaging level of network traffic when it scans for additional targets," said Internet Security Systems Inc. .

SQL Server 2000, which was released in late 2000, does not ship with a blank password, and therefore is not vulnerable, said Mark Miller, a security specialist in product support services at Microsoft. It either prompts users for a password or allows them to choose an existing Windows password, he said.

The company noticed increased scanning of ports, the digital equivalent of knocking on doors or turning the handles, of SQL Servers on the Internet last week and immediately began informing customers of the potential risk, Miller said.

There have been at least two other instances of worms targeting SQL Server, according to experts and anti-virus provider Web sites.

While the majority of worms target either e-mail programs or software that feeds up Web sites to browsers, the latest SQL Server worm is dangerous because it targets the databases on which e-commerce sites house sensitive information, said Amit Yoran, chief executive of managed security services provider RipTech.

"Worms are no longer just going after home users and Web sites," Yoran said. "They're going after e-commerce applications" and data.

Back To The Study