"Kaiten" Malicious Code Installed by Exploiting Null Default Passwords in Microsoft SQL Server
Release Date: November 27, 2001Systems Affected
- Systems running Microsoft SQL Server or Microsoft SQL Server 2000 installed with mixed mode security enabled
- Systems running Microsoft Data Engine 1.0 (MSDE 1.0) or Microsoft SQL Server 2000 Desktop Engine (MSDE 2000) installed with mixed mode security enabled
- Systems running Tumbleweed's Secure Mail (MMS) versions 4.3, 4.5, and 4.6
Overview
The CERT/CC has received reports of a new variant of the "Kaiten" malicious code being installed through exploitation of null default sa passwords in Microsoft SQL Server and Microsoft Data Engine. (Microsoft SQL Server 2000 will allow a null sa password to be used, but this is not default behavior.) Various sources have referred to this malicious code as "W32/Voyager," "Voyager Alpha Force," and "W32/CBlade.worm."
Description
"Kaiten" made its initial appearance in August 2001 and is based on the "Knight" distributed attack tool mentioned in CA-2001-20 Continuing Threats to Home Users.
In reports received by the CERT/CC, installation of "Kaiten" was preceded by scans for hosts listening on 1433/tcp (MS-SQL). The infection process leverages sa accounts with null passwords to gain access to vulnerable systems. It then uses the xp_cmdshell stored procedure to initiate an FTP session from the victim system to a remote site. A copy of "Kaiten" is then downloaded and executed on the victim system.
Additional information on the null default sa password in Microsoft SQL Server, MSDE, and MMS is available in VU#635463.
Once the "Kaiten" code has begun execution on the victim system, it connects to an IRC server (on port 6667/tcp or 6669/tcp, according to reports received by the CERT/CC) to await further commands from the attacker. The attacker can then remotely issue commands to multiple compromised systems simultaneously, allowing compromised hosts to be used as DDoS agents, port scanners, etc. The attacker can also remotely reconfigure "Kaiten" via IRC to modify certain settings, including the IRC servers and channels it connects to.
Additional information on denial-of-service tools, including "Kaiten/Knight," can be found in in the CERT/CC's Trends in Denial of Service Attack Technology paper.
Impact
Through the use of the xp_cmdshell stored procedure, an attacker may execute arbitrary commands on the system in whatever security context the Microsoft SQL Server services are running in. This is typically a user with system-level privileges.
Furthermore, since "Kaiten" contains both DDoS and scanning tools, compromised systems may be used in attacks on other systems. Reports to the CERT/CC indicate that attacks using this functionality have occurred at multiple sites.
Solutions
Detection
At least three variants of "Kaiten" have been found on compromised systems reported to the CERT/CC. The presence of any of these files on a system is a likely indicator that the system has been compromised.
- rpcloc32.exe (md5 = 43d29ba076b4fd7952c936dc1737fcb4 )
- dnsservice.exe (md5 = 79386a78a03a1665803d8a65c04c8791 )
- win32mon.exe (md5 = 4cd44f24bd3d6305df73d8aa16d4caa0 )
Reaction
If you believe a system under your administrative control may have been compromised, please refer to
Protection
Set a non-null sa password
Following best practices, passwords should never be left at their default value. Ensure that a password has been assigned to the sa account on Microsoft SQL Servers under your control.
Note that when installing Microsoft SQL 2000 Server, the application prompts for an sa password. If a null password is entered a warning will be displayed, but the application will permit a null password to be used.
Instructions to change the password are located at
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ modadmin/html/deconchangingsqlserveradministratorlogin.asp
- http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ adminsql/ad_1_server_5un8.asp
Additional information on securing Microsoft SQL Server can be found at
Ingress filtering
Ingress filtering manages the flow of traffic as it enters a network under your administrative control. Servers are typically the only machines that need to accept inbound connections from the public Internet. In the network usage policy of many sites, there are few reasons for external hosts to initiate inbound connections to machines that provide no public services. Thus, ingress filtering should be performed at the border to prohibit externally initiated inbound connections to non-authortized services. With "Kaiten," ingress filtering of port 1433/tcp could prevent attackers outside of your network from scanning or infecting vulnerable MS-SQL servers in the local network that are not explicitly authorized to provide public SQL services.Egress filtering
Egress filtering manages the flow of traffic as it leaves a network under your administrative control. There is typically limited need for machines providing public services to initiate outbound connections to the Internet. In the case of "Kaiten," employing egress filtering on the standard IRC ports (6660-6669/tcp) at your network border can help prevent systems on your network from being controlled by remote attackers via IRC. It should be noted, however, that an attacker might run IRC services on non-standard ports, and that "Kaiten" can be reconfigured to use a different port for connections to a control channel. Therefore, egress filtering alone does not provide a complete solution to the problem.Reporting
The CERT/CC is interested in receiving reports of this activity. If machines under your administrative control are compromised, please send mail to cert@cert.org with the following text included in the subject line: "[CERT#23969]".
Author(s): Allen Householder
Copyright 2001 Carnegie Mellon University.
Revision History
November 27, 2001: Initial Release November 28, 2001: Added link to MS SQL security page December 21, 2001: Clarified Microsoft product nomenclature