Ninja strikes back

The ninja Trojan discovered earlier this month may now be attacking Microsoft SQL server systems.

Experts suggest that someone somewhere is building a network of zombie machines that could be used en masse in a distributed denial of service attack.

An advisory released yesterday by SecurityFocus Attack Registry and Intelligence Services (ARIS) warned of "a new hybrid tool that combines distributed denial of service (DDoS) tools, with the automated propagation techniques previously seen only in worms".

The tool propagates by attacking incorrectly configured SQL servers with System Administrator accounts using a blank password.

The advisory said yesterday that ARIS had "identified a rapidly growing network of controlled agents or 'bots', increasing 600 per cent in the last 6 hours".

Apparently the tool, named 'Voyager Alpha Force', is a modified and enhanced version of the DDoS tool, 'Kaiten', and is manually controlled over an IRC network. Once installed, the program may display worm-like tendencies by using the host to scan for other vulnerable machines.

Other analysis from security experts on the SecurityFocus mailing list found that the program connects to an IRC server at bots.kujikiri.net to receive instructions. The word 'kujikiri', a method of esoteric teaching used by the ninja, was also used by the Linux-infecting Limpninja Trojan to identify its commanding IRC channel.

When Limninja emerged a few weeks ago, security watchers suggested that hackers were building an army of compromised machines with the potential to cause a devastating distributed denial of service attack.

It's possible that the same person or persons is responsible for building both a Linux version and a Windows version of a Trojan, to create a huge cross-platform army of zombies.

As a precaution SecurityFocus recommends that admins verify that the System Administrator 'sa' account does not have a blank password if running Microsoft SQL server, and uses a firewall to block ports 1433 and 6669.