Keep an Eye Out for Phatbot Variants Targeting SQL Server

 
 
By Lisa Vaas  |  Posted 2004-04-20 Email Print this article Print
 
 
 
 
 
 
 

Double check SQL Server and MSDE security to prevent damage from possible Phatbot variants, warns Database Center Editor Lisa Vaas.

Reports of possible "super" security exploits have been swirling recently. From the Internet Storm Center at The SANS Institute on Sunday came an unconfirmed report indicating that exploits may target vulnerabilities announced by Microsoft last week. For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.
Theres also been an uptick in scanning of port 1981 over the past 10 days or so, according to the Storm Center report, as well as probes hitting TCP ports 2745, 1025, 3127, 6129, 5000, 80 and MS netbios.
When it comes to database security, though, its recent probing of port 1433 thats particularly worrisome, since, according to this report by the Storm Center, such probing may well point to a new variant of the Phatbot worm that attempts to crack ports on Microsoft SQL Server database installations. Phatbot, aka Gaobot, sets systems to autostart the worm at boot time, tries to turn off a computers security software, probes network shares as it tries to spread itself and attempts to stop processes started by other worms. According to my colleague Larry Seltzer, editor of eWEEK.coms Security Center, Phatbot also uses a built-in client to open a connection to a specific IRC channel and await commands. Whether this IRC client has been used to forge a "botnet" of systems for use in a distributed denial-of-service (DDoS) attack is still being debated, according to Seltzer.
I havent yet heard exactly what tricks a Phatbot variant would pull on a SQL Server installation, and given that such a variant is just theoretical at this point, it would be conjecture to talk about it anyway. Besides, after Slammer sent the Internet reeling with its cyber-assault on SQL Server in January 2003, who wants to find out what the next SQL Server attack could do? But you have to wonder how vulnerable we are to such an attack. Are businesses still lagging on patch application, for example? Both Slammer and the recent Microsoft vulnerability exploits took advantage of weaknesses for which Microsoft had already issued fixes. Granted, the fix for Slammer was out for months before the ax fell, whereas the vulnerabilities for which Microsoft announced patches were unveiled only last week, so those two occurrences arent necessarily comparable. Next Page: Slammer caused a lot of enterprises to clean up their acts.



 
 
 
 
Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...

 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel