Keep an Eye Out for Phatbot Variants Targeting SQL Server

Double check SQL Server and MSDE security to prevent damage from possible Phatbot variants, warns Database Center Editor Lisa Vaas.

Reports of possible "super" security exploits have been swirling recently. From the Internet Storm Center at The SANS Institute on Sunday came an unconfirmed report indicating that exploits may target vulnerabilities announced by Microsoft last week.


For insights on security coverage around the Web, check out Security Center Editor Larry Seltzers Weblog.

Theres also been an uptick in scanning of port 1981 over the past 10 days or so, according to the Storm Center report, as well as probes hitting TCP ports 2745, 1025, 3127, 6129, 5000, 80 and MS netbios.

When it comes to database security, though, its recent probing of port 1433 thats particularly worrisome, since, according to this report by the Storm Center, such probing may well point to a new variant of the Phatbot worm that attempts to crack ports on Microsoft SQL Server database installations.

Phatbot, aka Gaobot, sets systems to autostart the worm at boot time, tries to turn off a computers security software, probes network shares as it tries to spread itself and attempts to stop processes started by other worms.

According to my colleague Larry Seltzer, editor of eWEEK.coms Security Center, Phatbot also uses a built-in client to open a connection to a specific IRC channel and await commands. Whether this IRC client has been used to forge a "botnet" of systems for use in a distributed denial-of-service (DDoS) attack is still being debated, according to Seltzer.

I havent yet heard exactly what tricks a Phatbot variant would pull on a SQL Server installation, and given that such a variant is just theoretical at this point, it would be conjecture to talk about it anyway. Besides, after Slammer sent the Internet reeling with its cyber-assault on SQL Server in January 2003, who wants to find out what the next SQL Server attack could do?

But you have to wonder how vulnerable we are to such an attack. Are businesses still lagging on patch application, for example? Both Slammer and the recent Microsoft vulnerability exploits took advantage of weaknesses for which Microsoft had already issued fixes.

Granted, the fix for Slammer was out for months before the ax fell, whereas the vulnerabilities for which Microsoft announced patches were unveiled only last week, so those two occurrences arent necessarily comparable.

Next Page: Slammer caused a lot of enterprises to clean up their acts.