Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Database
    • Database

    Keep an Eye Out for Phatbot Variants Targeting SQL Server

    By
    Lisa Vaas
    -
    April 20, 2004
    Share
    Facebook
    Twitter
    Linkedin

      Reports of possible “super” security exploits have been swirling recently. From the Internet Storm Center at The SANS Institute on Sunday came an unconfirmed report indicating that exploits may target vulnerabilities announced by Microsoft last week.

      For insights on security coverage around the Web, check out eWEEK.com Security Center Editor Larry Seltzers Weblog.

      Theres also been an uptick in scanning of port 1981 over the past 10 days or so, according to the Storm Center report, as well as probes hitting TCP ports 2745, 1025, 3127, 6129, 5000, 80 and MS netbios.

      When it comes to database security, though, its recent probing of port 1433 thats particularly worrisome, since, according to this report by the Storm Center, such probing may well point to a new variant of the Phatbot worm that attempts to crack ports on Microsoft SQL Server database installations.

      Phatbot, aka Gaobot, sets systems to autostart the worm at boot time, tries to turn off a computers security software, probes network shares as it tries to spread itself and attempts to stop processes started by other worms.

      According to my colleague Larry Seltzer, editor of eWEEK.coms Security Center, Phatbot also uses a built-in client to open a connection to a specific IRC channel and await commands. Whether this IRC client has been used to forge a “botnet” of systems for use in a distributed denial-of-service (DDoS) attack is still being debated, according to Seltzer.

      I havent yet heard exactly what tricks a Phatbot variant would pull on a SQL Server installation, and given that such a variant is just theoretical at this point, it would be conjecture to talk about it anyway. Besides, after Slammer sent the Internet reeling with its cyber-assault on SQL Server in January 2003, who wants to find out what the next SQL Server attack could do?

      But you have to wonder how vulnerable we are to such an attack. Are businesses still lagging on patch application, for example? Both Slammer and the recent Microsoft vulnerability exploits took advantage of weaknesses for which Microsoft had already issued fixes.

      Granted, the fix for Slammer was out for months before the ax fell, whereas the vulnerabilities for which Microsoft announced patches were unveiled only last week, so those two occurrences arent necessarily comparable.

      Next Page: Slammer caused a lot of enterprises to clean up their acts.

      Slammer Lessons

      At any rate, the feedback Im getting is that, luckily, people learned their lesson from Slammer. As former PASS (Professional Association for SQL Server) board of directors member Brian Knight said to me, it was a hard lesson for many companies, but Slammer did cause them to lock down port 1433 via firewalls to Internet traffic. Knight is president of SQLServerCentral.com and chief database architect of Fidelity National Financial, in Jacksonville, Fla.

      John Pescatore, vice president and research director of Internet security for Gartner Inc., backed up what Knight told me. Gartner has seen that Slammer caused a lot of enterprises to clean up their acts around port 1433 and SQL Server, Pescatore said. If Phatbot goes after port 1433 and SQL Server, it will find far fewer targets than when Slammer was around. So for that, Slammer, you get a very begrudging thank-you.

      That doesnt let database security watchers off the hook entirely, though. A bigger issue is that its not just SQL Server that uses those ports and is vulnerable via them. The MSDE (Microsoft SQL Server Desktop Engine) tools randomly access various ports, but very often port 1433 is what the software uses.

      Now, MSDE often winds up on PCs as part of third-party products such as project-management suites or Visual Studio, and many enterprises arent even aware its there, particularly since MSDE isnt a big resource hog.

      MSDE was also a problem back when enterprises were scrambling to clean up after Slammer. Knight told me that while patching some 350 SQL Server installations, he uncovered another 115 MSDE boxes that he hadnt known existed and subsequently had to patch.

      Obviously, MSDE sits on systems like a time bomb, making it imperative that enterprises make sure network firewalls and personal firewalls block those ports whenever possible.

      /zimages/1/70960.gif

      Do your business a favor: Do some vulnerability scanning. Make sure there are no MSDE components listening in on those ports. You cant change what port MSDE accesses, so youll have to block it at the firewall level. If you havent uncovered your MSDE time bombs already, do it now. Dont let a potential Phatbot variant or any other port 1433 exploit pull another Slammer on us.

      /zimages/1/28571.gifCheck out eWEEK.coms Database Center at http://database.eweek.com for the latest database news, views and analysis. Be sure to add our eWEEK.com database news feed to your RSS newsreader or My Yahoo page: /zimages/1/19420.gif http://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

      Editors Note: This story was changed from its original posting to correct Brian Knights title.

      Editors Note: To use eWEEK.coms Talkback feature, you must first register. To do so, click on the word “Register” below.

      Lisa Vaas
      Lisa Vaas is News Editor/Operations for eWEEK.com and also serves as editor of the Database topic center. Since 1995, she has also been a Webcast news show anchorperson and a reporter covering the IT industry. She has focused on customer relationship management technology, IT salaries and careers, effects of the H1-B visa on the technology workforce, wireless technology, security, and, most recently, databases and the technologies that touch upon them. Her articles have appeared in eWEEK's print edition, on eWEEK.com, and in the startup IT magazine PC Connection. Prior to becoming a journalist, Vaas experienced an array of eye-opening careers, including driving a cab in Boston, photographing cranky babies in shopping malls, selling cameras, typography and computer training. She stopped a hair short of finishing an M.A. in English at the University of Massachusetts in Boston. She earned a B.S. in Communications from Emerson College. She runs two open-mic reading series in Boston and currently keeps bees in her home in Mashpee, Mass.

      MOST POPULAR ARTICLES

      Cybersecurity

      Visa’s Michael Jabbara on Cybersecurity and Digital...

      James Maguire - May 17, 2022 0
      I spoke with Michael Jabbara, VP and Global Head of Fraud Services at Visa, about the cybersecurity technology used to ensure the safe transfer...
      Read more
      Big Data and Analytics

      Alteryx’s Suresh Vittal on the Democratization of...

      James Maguire - May 31, 2022 0
      I spoke with Suresh Vittal, Chief Product Officer at Alteryx, about the industry mega-shift toward making data analytics tools accessible to a company’s complete...
      Read more
      Big Data and Analytics

      GoodData CEO Roman Stanek on Business Intelligence...

      James Maguire - May 4, 2022 0
      I spoke with Roman Stanek, CEO of GoodData, about business intelligence, data as a service, and the frustration that many executives have with data...
      Read more
      Applications

      Cisco’s Thimaya Subaiya on Customer Experience in...

      James Maguire - May 10, 2022 0
      I spoke with Thimaya Subaiya, SVP and GM of Global Customer Experience at Cisco, about the factors that create good customer experience – and...
      Read more
      Cloud

      Yotascale CEO Asim Razzaq on Controlling Multicloud...

      James Maguire - May 5, 2022 0
      Asim Razzaq, CEO of Yotascale, provides guidance on understanding—and containing—the complex cost structure of multicloud computing. Among the topics we covered:  As you survey the...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×