Keep an Eye Out for Phatbot Variants Targeting SQL Server

By Lisa Vaas  |  Posted 2004-04-20

Keep an Eye Out for Phatbot Variants Targeting SQL Server

Reports of possible "super" security exploits have been swirling recently. From the Internet Storm Center at The SANS Institute on Sunday came an unconfirmed report indicating that exploits may target vulnerabilities announced by Microsoft last week.

For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

Theres also been an uptick in scanning of port 1981 over the past 10 days or so, according to the Storm Center report, as well as probes hitting TCP ports 2745, 1025, 3127, 6129, 5000, 80 and MS netbios.

When it comes to database security, though, its recent probing of port 1433 thats particularly worrisome, since, according to this report by the Storm Center, such probing may well point to a new variant of the Phatbot worm that attempts to crack ports on Microsoft SQL Server database installations.

Phatbot, aka Gaobot, sets systems to autostart the worm at boot time, tries to turn off a computers security software, probes network shares as it tries to spread itself and attempts to stop processes started by other worms.

According to my colleague Larry Seltzer, editor of eWEEK.coms Security Center, Phatbot also uses a built-in client to open a connection to a specific IRC channel and await commands. Whether this IRC client has been used to forge a "botnet" of systems for use in a distributed denial-of-service (DDoS) attack is still being debated, according to Seltzer.

I havent yet heard exactly what tricks a Phatbot variant would pull on a SQL Server installation, and given that such a variant is just theoretical at this point, it would be conjecture to talk about it anyway. Besides, after Slammer sent the Internet reeling with its cyber-assault on SQL Server in January 2003, who wants to find out what the next SQL Server attack could do?

But you have to wonder how vulnerable we are to such an attack. Are businesses still lagging on patch application, for example? Both Slammer and the recent Microsoft vulnerability exploits took advantage of weaknesses for which Microsoft had already issued fixes.

Granted, the fix for Slammer was out for months before the ax fell, whereas the vulnerabilities for which Microsoft announced patches were unveiled only last week, so those two occurrences arent necessarily comparable.

Next Page: Slammer caused a lot of enterprises to clean up their acts.

Slammer Lessons

At any rate, the feedback Im getting is that, luckily, people learned their lesson from Slammer. As former PASS (Professional Association for SQL Server) board of directors member Brian Knight said to me, it was a hard lesson for many companies, but Slammer did cause them to lock down port 1433 via firewalls to Internet traffic. Knight is president of and chief database architect of Fidelity National Financial, in Jacksonville, Fla.

John Pescatore, vice president and research director of Internet security for Gartner Inc., backed up what Knight told me. Gartner has seen that Slammer caused a lot of enterprises to clean up their acts around port 1433 and SQL Server, Pescatore said. If Phatbot goes after port 1433 and SQL Server, it will find far fewer targets than when Slammer was around. So for that, Slammer, you get a very begrudging thank-you.

That doesnt let database security watchers off the hook entirely, though. A bigger issue is that its not just SQL Server that uses those ports and is vulnerable via them. The MSDE (Microsoft SQL Server Desktop Engine) tools randomly access various ports, but very often port 1433 is what the software uses.

Now, MSDE often winds up on PCs as part of third-party products such as project-management suites or Visual Studio, and many enterprises arent even aware its there, particularly since MSDE isnt a big resource hog.

MSDE was also a problem back when enterprises were scrambling to clean up after Slammer. Knight told me that while patching some 350 SQL Server installations, he uncovered another 115 MSDE boxes that he hadnt known existed and subsequently had to patch.

Obviously, MSDE sits on systems like a time bomb, making it imperative that enterprises make sure network firewalls and personal firewalls block those ports whenever possible.

Do your business a favor: Do some vulnerability scanning. Make sure there are no MSDE components listening in on those ports. You cant change what port MSDE accesses, so youll have to block it at the firewall level. If you havent uncovered your MSDE time bombs already, do it now. Dont let a potential Phatbot variant or any other port 1433 exploit pull another Slammer on us.

Check out eWEEK.coms Database Center at for the latest database news, views and analysis. Be sure to add our database news feed to your RSS newsreader or My Yahoo page:  

Editors Note: This story was changed from its original posting to correct Brian Knights title.

Editors Note: To use eWEEK.coms Talkback feature, you must first register. To do so, click on the word "Register" below.

Rocket Fuel