|
|
The CERT/CC has received reports of a new variant of the "Kaiten" malicious code being installed through exploitation of null default sa passwords in Microsoft SQL Server and Microsoft Data Engine. (Microsoft SQL Server 2000 will allow a null sa password to be used, but this is not default behavior.) Various sources have referred to this malicious code as "W32/Voyager," "Voyager Alpha Force," and "W32/CBlade.worm."
"Kaiten" made its initial appearance in August 2001 and is based on the "Knight" distributed attack tool mentioned in CA-2001-20 Continuing Threats to Home Users.
In reports received by the CERT/CC, installation of "Kaiten" was preceded by scans for hosts listening on 1433/tcp (MS-SQL). The infection process leverages sa accounts with null passwords to gain access to vulnerable systems. It then uses the xp_cmdshell stored procedure to initiate an FTP session from the victim system to a remote site. A copy of "Kaiten" is then downloaded and executed on the victim system.
Additional information on the null default sa password in Microsoft SQL Server, MSDE, and MMS is available in VU#635463.
Once the "Kaiten" code has begun execution on the victim system, it connects to an IRC server (on port 6667/tcp or 6669/tcp, according to reports received by the CERT/CC) to await further commands from the attacker. The attacker can then remotely issue commands to multiple compromised systems simultaneously, allowing compromised hosts to be used as DDoS agents, port scanners, etc. The attacker can also remotely reconfigure "Kaiten" via IRC to modify certain settings, including the IRC servers and channels it connects to.
Additional information on denial-of-service tools, including "Kaiten/Knight," can be found in in the CERT/CC's Trends in Denial of Service Attack Technology paper.
Through the use of the xp_cmdshell stored procedure, an attacker may execute arbitrary commands on the system in whatever security context the Microsoft SQL Server services are running in. This is typically a user with system-level privileges.
Furthermore, since "Kaiten" contains both DDoS and scanning tools, compromised systems may be used in attacks on other systems. Reports to the CERT/CC indicate that attacks using this functionality have occurred at multiple sites.
At least three variants of "Kaiten" have been found on compromised systems reported to the CERT/CC. The presence of any of these files on a system is a likely indicator that the system has been compromised.
If you believe a system under your administrative control may have been compromised, please refer to
Following best practices, passwords should never be left at their default value. Ensure that a password has been assigned to the sa account on Microsoft SQL Servers under your control.
Note that when installing Microsoft SQL 2000 Server, the application prompts for an sa password. If a null password is entered a warning will be displayed, but the application will permit a null password to be used.
Instructions to change the password are located at
Additional information on securing Microsoft SQL Server can be found at
The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#23969]".