Skip-2.0 Malware Impacts SQL Server - Should I Be Worried?
By: K. Brian Kelley | Updated: 2019-10-24 | Comments (1) | Related: More > Security
I've read recently that there's a new piece of malware that's been named skip-2.0 and it targets SQL Server. What exactly is it, where did it come from, and how do I protect myself against it?
This new piece of malware, skip-2.0, does target SQL Server. Specifically, it targets SQL Server versions 11 and 12, which correspond to the names SQL Server 2012 and SQL Server 2014 respectively. Therefore, if you're only running SQL Server 2016 or higher, you're not affected by skip-2.0 (yet another reason to upgrade).
How Does skip-2.0 Work?
Skip-2.0 uses a technique called DLL hooking. DLL hooking, at a high level, is where a piece of software intercepts calls to a DLL and routes them to its own functions. In this particular case, skip-2.0 intercepts certain calls to sqllang.dll. Specifically, skip-2.0 intercepts the calls around authenticating a SQL-based login. SQL-based logins have password hashes stored within SQL Server. Therefore, this authentication is handled by SQL Server, not passed off to the OS. This is why skip-2.0 targets sqllang.dll.
When skip-2.0 intercepts the authentication attempt, it checks to see if there's a particular password that's been used. ESET, the security firm which has reported skip-2.0 calls it a "magic password," because it effectively is. Regardless of the user account specified, if you use this particular password, you are logged in. In other words, you don't have to know the login's actual password. You can simply log in as any user using that one magic password.
There's more, of course. Skip-2.0 also hooks the functions around event logging. By doing so, it can hide the connection. Therefore, if you use the magic password not only do you log in, but your login doesn't appear within SQL Server. You're a ghost.
How Does skip-2.0 Get On My System?
Before I answer that question, it's important to understand the typical attack methodology. Here's what that looks like:
- Scan for Vulnerabilities / Access
- Gain Access
- Escalate Privileges (if necessary)
- Maintain Access
- Cover Tracks
In order for skip-2.0 to perform the hooks to sqllang.dll, it will require administrative rights on the server. That means your server is already compromised before skip-2.0 shows up. In reality, what skip-2.0 does within the methodology is accomplish steps 5 and 6: Maintain Access and Cover Tracks. With administrative rights, the adversary has already gained access. What skip-2.0 does is allow the adversary to maintain that access, at least with respect to SQL Server, and keep you from finding out about it.
What this means is that we're not dealing with an attack like SQL Slammer or the various worms that we've seen attack the OS which don't require special privileges. An adversary has to gain administrative rights and then install skip-2.0. As a result, there's no real reason to panic over skip-2.0. If the adversary is able to deploy skip-2.0, that means some other vulnerability was already attacked and used. That's where the concern should be.
Who Is Responsible for skip-2.0?
ESET has tagged a cyberespionage group out of China called the Winnti Group. There are similarities in how the skip-2.0 tool works and is packaged with previously known malware from this same group. In fact, ESET was looking for instances of one of these other pieces of malware when it found skip-2.0.
How Do You Protect Against skip-2.0?
Given that skip-2.0 requires administrative rights, that means a system compromise is required for an adversary to put it in place. Therefore, you don't need to do anything special just because of skip-2.0. What you're concerned about are the typical things:
- If your servers aren't properly patched.
- If there are other exploitable vulnerabilities or insecure configurations that shouldn't be there.
- If an account gets compromised which has administrative rights to the server.
Properly secured and patched servers are your best bet for protecting yourself against skip-2.0. Secondary auditing and reporting functions and agents help as well. For instance, if you have processes that alert on unexpected logins to a system, that may catch the initial compromise of the server.
What If I Think skip-2.0 Is On My SQL Server?
In short, the only way to get back to a server you can trust is by building a new SQL Server, securing it properly, and restoring the databases to it. Given that skip-2.0 targets SQL Server 2012 and 2014, if you also upgrade to SQL Server 2016 or 2017 (at the time this article was written, SQL Server 2019 hadn't released yet), then the current skip-2.0 that's in the wild can't attack these newer versions.
You could upgrade the SQL Server which would render skip-2.0 ineffective. However, the issue is that the server was compromised by some other means already. That vulnerability is likely still there. Also, if I was the attacker, I would deploy additional means to maintain access. That's the problem with a compromised server, you can never be sure if you can trust it again.
Short of that, there hasn't been published information on removing skip-2.0 safely. Likely there will be some information forthcoming at some point, but given that Winnti targets gaming and software development companies primarily, it's probably not going to be quick in coming. Even if you have to temporarily continue to run on the compromised server, go ahead and build the new box, using the newest version of SQL Server, and make sure it's properly protected. Then switch over as soon as you can.
It has been a while since we've seen something directly attack SQL Server. That's probably why skip-2.0 is making the rounds more than it probably should. The key thing to remember is that by the time skip-2.0 shows up, the system is already compromised. The attacker already has the ability to do whatever he or she wants on the system. Therefore, there isn't anything to do on the SQL Server side. It's about properly managing and securing your systems in general.
- You can read ESET's write-up of skip-2.0.
- Visit the MITRE ATT&CK knowledge base to read about the Winnti Group.
- Learn from other SQL Server security tips to try and harden your system as much as possible.
Last Updated: 2019-10-24
About the author
View all my tips