The CERT Coordination Center publishes incident notes to provide
information about incidents to the Internet community.

<h2>"Kaiten" Malicious Code Installed by Exploiting Null Default
Passwords in Microsoft SQL Server
</h2>

Release Date: November 27, 2001<br/>
<a name="affected">
<h3>Systems Affected</h3>
<ul>
<li>Systems running Microsoft SQL Server or Microsoft SQL
Server 2000 installed with mixed mode security enabled</li>
<li>Systems running Microsoft Data Engine 1.0 (MSDE 1.0) or Microsoft
SQL Server 2000 Desktop Engine (MSDE 2000) installed with mixed mode
security enabled</li>
<li>Systems running Tumbleweed's Secure Mail (MMS) versions 4.3, 4.5,
and 4.6</li>
</ul>
<a name="overview">
<h2>Overview</h2>
<p>The CERT/CC has received reports of a new variant of the "Kaiten"
malicious code being installed through exploitation of null default
<i>sa</i> passwords in Microsoft SQL Server and Microsoft Data
Engine. (Microsoft SQL Server 2000 will allow a null <i>sa</i>
password to be used, but this is not default behavior.) Various
sources have referred to this malicious code as "W32/Voyager,"
"Voyager Alpha Force," and "W32/CBlade.worm." </p>
<h2>Description</h2>
<p>"Kaiten" made its initial appearance in August 2001 and is based
on the "Knight" distributed attack tool mentioned in <a href="http://www.cert.org/advisories/CA-2001-20.html">CA-2001-20
Continuing Threats to Home Users</a>.  </p>
<p>In reports received by the CERT/CC, installation of "Kaiten" was
preceded by scans for hosts listening on 1433/tcp (MS-SQL).  The
infection process leverages <i>sa</i> accounts with null passwords to
gain access to vulnerable systems.  It then uses the <font face="courier">xp_cmdshell</font> stored procedure to initiate an FTP
session from the victim system to a remote site.  A copy of "Kaiten"
is then downloaded and executed on the victim system.</p>
<p>Additional information on the null default <i>sa</i> password in
Microsoft SQL Server, MSDE, and MMS is available in <a href="http://www.kb.cert.org/vuls/id/635463">VU#635463</a>.

<p> Once the "Kaiten" code has begun execution on the victim system,
it connects to an IRC server (on port 6667/tcp or 6669/tcp, according
to reports received by the CERT/CC) to await further commands from the
attacker.  The attacker can then remotely issue commands to multiple
compromised systems simultaneously, allowing compromised hosts to be
used as DDoS agents, port scanners, etc.  The attacker can also
remotely reconfigure "Kaiten" via IRC to modify certain settings,
including the IRC servers and channels it connects to.</p>
<p>Additional information on denial-of-service tools, including
"Kaiten/Knight," can be found in in the CERT/CC's <a href="http://www.cert.org/archive/pdf/DoS_trends.pdf">Trends in Denial
of Service Attack Technology</a> paper.  </p>
<h2>Impact</h2>
<p>Through the use of the <font face="courier">xp_cmdshell</font>
stored procedure, an attacker may execute arbitrary commands on the
system in whatever security context the Microsoft SQL Server services are
running in.  This is typically a user with system-level
privileges.</p>
<p>Furthermore, since "Kaiten" contains both DDoS and scanning
tools, compromised systems may be used in attacks on other systems.
Reports to the CERT/CC indicate that attacks using this functionality
have occurred at multiple sites.
</p>
<h2>Solutions</h2>
<h3>Detection</h3>
<p>At least three variants of "Kaiten" have been found on compromised
systems reported to the CERT/CC.  The presence of any of these files on a system is a likely indicator that the system has been compromised.</p>
<ul>
<li><font face="courier">rpcloc32.exe</font> (md5 = 43d29ba076b4fd7952c936dc1737fcb4 )</li>
<li><font face="courier">dnsservice.exe</font> (md5 = 79386a78a03a1665803d8a65c04c8791 )</li>
<li><font face="courier">win32mon.exe</font> (md5 = 4cd44f24bd3d6305df73d8aa16d4caa0 )</li>
</ul>
<h3>Reaction</h3>
<p>If you believe a system under your administrative control
may have been compromised, please refer to

<dl>
<dd><a href="http://www.cert.org/tech_tips/win-UNIX-system_compromise.html">Steps
for Recovering from a UNIX or NT System Compromise</a>
</dd>
</dl>
<h3>Protection</h3>
<h4>Set a non-null <i>sa</i> password</h4>
<p>Following best practices, passwords should never be left at their
default value.  Ensure that a password has been assigned to the
<i>sa</i> account on Microsoft SQL Servers under your control.</p>
<p>Note that when installing Microsoft SQL 2000 Server, the
application prompts for an <i>sa</i> password. If a null password is
entered a warning will be displayed, but the application will permit a
null password to be used.</p>
<p>Instructions to change the password are located at <br/>
<dl>
<dd><a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/modadmin/html/deconchangingsqlserveradministratorlogin.asp">
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ modadmin/html/deconchangingsqlserveradministratorlogin.asp</a></dd>
<br/><br/>
<dd><a href="http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adminsql/ad_1_server_5un8.asp">
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ adminsql/ad_1_server_5un8.asp</a></dd>
</dl>
<p>Additional information on securing Microsoft SQL Server can be found at<br/>
<dl>
<dd><a href=" http://www.microsoft.com/sql/techinfo/administration/2000/security.asp"> http://www.microsoft.com/sql/techinfo/administration/2000/security.asp</a>
</dd>
</dl>
<h4>Ingress filtering</h4>

Ingress filtering manages the flow of traffic as it enters a network
under your administrative control.  Servers are typically the only
machines that need to accept inbound connections from the public
Internet.  In the network usage policy of many sites, there are few
reasons for external hosts to initiate inbound connections to machines
that provide no public services.  Thus, ingress filtering should be
performed at the border to prohibit externally initiated inbound
connections to non-authortized services.  With "Kaiten," ingress
filtering of port 1433/tcp could prevent attackers outside of your
network from scanning or infecting vulnerable MS-SQL servers in the
local network that are not explicitly authorized to provide public SQL
services.

<h4>Egress filtering</h4>

Egress filtering manages the flow of traffic as it leaves a network
under your administrative control.  There is typically limited need
for machines providing public services to initiate outbound
connections to the Internet. In the case of "Kaiten," employing egress
filtering on the standard IRC ports (6660-6669/tcp) at your network
border can help prevent systems on your network from being controlled
by remote attackers via IRC.  It should be noted, however, that an
attacker might run IRC services on non-standard ports, and that
"Kaiten" can be reconfigured to use a different port for connections
to a control channel.  Therefore, egress filtering alone does not
provide a complete solution to the problem.

<h2>Reporting</h2>
<p>The CERT/CC is interested in receiving reports of this activity.  If machines
under your administrative control are compromised, please send mail to 
<a href="mailto:cert@cert.org?Subject=[CERT%2323969]">cert@cert.org</a> with the following text included
in the subject line: "[CERT#23969]".</p>
<p>
<hr noshade="" width="100%"/>
<b>Author(s)</b>: Allen Householder<br/>
<!--#include virtual="/include/footer_nocopyright.html" -->
<p>Copyright 2001 Carnegie Mellon University.</p>
<p>Revision History
<pre>
November 27, 2001: Initial Release
November 28, 2001: Added link to MS SQL security page
December 21, 2001: Clarified Microsoft product nomenclature
</pre>
<!-- This completes the table started in *_titlebar.html -->



<!--#include virtual="/cert/include/footer.html"--></p></p></p></p></p></p></a></a>