• Jeff,

    I wouldn't make that assumption. We've only been given limited info from the forensics done thus far. We've been told:

    - tcp/1433 was exposed.

    - A SQL Server Agent job was found because it failed.

    - It failed because it called a file, a trojan, that wasn't there.

    If tcp/1433 was the only port exposed, that means the attack came through SQL Server. Yes, by using an Agent job command shell access is easy. However, did the trojan get onto the system? If it did, how did it get there? While it could have been through SQL Agent, it could have been through xp_cmdshell as well. That would likely be my approach.

    Once the server is breached, using xp_cmdshell the trojan is pulled down immediately. Then the SQL Server Agent job is built and scheduled so that the trojan is executed periodically so it can phone home and get its next set of orders or get the command to go back to sleep. If going back to sleep means it ends its process, that makes it that much harder for it to be spotted. You're only going to see it if you happen to catch it when it's running.

    Why do that? Because attackers have gotten smart. They realize we're now looking for traffic during off-peak times. So the best time to phone home is when there's a bunch of other traffic. There's more noise, making it harder to spot the malicious traffic. If I'm not based on the same time zone as the server or I don't want to have to actively be on it, I want to schedule the phone home. SQL Agent does the trick.

    Yes, Task Scheduler could, too. However, if there's already SQL Server Agent jobs, again, the phone home command gets hidden in the noise. if I put it in Task Scheduler I've got two problems. The first is I may not get the job to run with the credentials I want. The second is there isn't a lot of Task Scheduler jobs. So there's less noise to hide the job.

    Therefore, I wouldn't rule out anything. What I've described is a pretty typical hack nowadays, whether SQL Server is part of it or not.

    K. Brian Kelley
    @kbriankelley