A new worm that targets Microsoft Corp.'s SQL Server database is making the rounds on the Internet, security experts warned this week.
Riptech Inc., a security services company in Alexandria, Virginia, that monitors companies' IT systems, said it detected a 100-fold increase Monday in the number of unique IP addresses targeting its customers that use SQL Server. Based on that increase, it advised customers that a SQLServer worm is spreading, said Tim Belcher, Riptech's chief technology officer.
"We're detecting thousands of new compromised systems per hour as this propagates," he said Tuesday.
Symantec Corp., Network Associates Inc. and SecurityFocus also are reporting proliferation of the worm, variously being referred to as SQLSnake, DoubleTap and DigiSpid.B.Worm. Despite the ominous-sounding names, experts said the worm is unlikely to cause widespread damage.
A Microsoft spokesman said the worm affects only systems running SQL Server Version 7.0 in which the system administrator password is blank, which is the default setting for that release. SQL Server 2000 does not default to a blank password, which means those systems are not affected, said Mark Miller, a Microsoft security specialist.
Microsoft issued a bulletin to enterprise customers Tuesday after it, too, noted an increase in the number of attempts to access SQL Servers that have blank passwords, he said. It recommended a series of steps they should take, the first being to make sure no system administrator passwords remain blank.
"I don't think we're looking at a fast-spreading worm, because most (SQL Server) administrators are taking the necessary steps," he said.
When a system becomes infected, the worm copies a series of files to the hard disk, including an executable that scans for other vulnerable servers to infect, experts said. Another executable locates user passwords on the system and sends them to an external e-mail address set up by the hacker.
Microsoft's Miller said those and other vulnerabilities would have been eliminated if customers had installed a patch issued April 17 and available on Microsoft's Web site. "It's not a new vulnerability," he said. "It's a case of not following best practices."
The worm is unlikely to spread itself widely enough to compromise Internet performance, Belcher said, calling the worm less severe than two of its predecessors, Nimda and Code Red. That's partly because SQL Server isn't as widely used as Microsoft's Internet Information Server, which was targeted by those worms.
"There's likely no Internet threat here, but it may have the unintended effect of going after financial firms, transaction-based Web sites and e-commerce sites" because many of them use SQL Server, Belcher said.
Microsoft's bulletin about the worm, issued Tuesday, is here: http://www.microsoft.com/security/security_bulletins/ms02020_sql.asp.
Meanwhile, Riptech advised its customers to review the configuration of all their systems and disable any that may be running SQL Server inadvertently. It also advised them to forbid remote access to the MSSQL daemon, saying only Web servers, internal applications and other trusted systems should be permitted to interact directly with the server.