Table of Contents

Introduction

You may have heard of the following that Tencent Security has released a report (written in Chinese) describing a new malware attack by the name of "MrbMiner" on SQL Server instances exposed to the Internet with passwords that can be brute-forced.

I managed to come across one of these cases(written in Russian), and I would like to share with you how to remove the malware that is restored in the system every 2 minutes.

The malware itself is stored in the database and because of this antiviruses cannot detect it.

I have already sent the malicious code that we managed to export to some antivirus laboratories, including Microsoft (Submitted: Dec 13, 2020 2:41:59 PM).

Solution:

1) You need to back up your databases first.

2) You need to disable all unknown accounts on the database server (i.e. Default).

Note: Leave at least one account with administrator rights enabled.

3) Please check if the following procedure exists:

sp_sql_management

Check also for the following functions:

GetVersion
MasterProfiler
ProgramStatus
SqlManagement
SqlManagementStatus
TaskProgramStatus

And the following assembly:

Microsoft.SqlServer.Management

4) If they are present and you are sure that they are malicious, then run the following T-SQL script to remove them:

USE [master]
GO
DROP PROCEDURE [dbo].[sp_sql_management]
GO
DROP FUNCTION [GetVersion]
DROP FUNCTION [MasterProfiler]
DROP FUNCTION [ProgramStatus]
DROP FUNCTION [SqlManagement]
DROP FUNCTION [SqlManagementStatus]
DROP FUNCTION [TaskProgramStatus]
GO
DROP ASSEMBLY [Microsoft.SqlServer.Management]
GO

5) In some cases, it is also necessary to reload the SQL Server service to close all processes in the memory.

6) Make sure you have installed the updates according to this article: MS16-136CVE-2020-0618 and CVE-2019-1068
7) Also, don't forget to change all passwords.