SQL Server Troubleshooting: How to remove new MrbMiner malware
Introduction
You may have heard of the following that Tencent Security has released a report (written in Chinese) describing a new malware attack by the name of "MrbMiner" on SQL Server instances exposed to the Internet with passwords that can be brute-forced.
I managed to come across one of these cases(written in Russian), and I would like to share with you how to remove the malware that is restored in the system every 2 minutes.
The malware itself is stored in the database and because of this antiviruses cannot detect it.
I have already sent the malicious code that we managed to export to some antivirus laboratories, including Microsoft (Submitted: Dec 13, 2020 2:41:59 PM).
Solution:
1) You need to back up your databases first.
2) You need to disable all unknown accounts on the database server (i.e. Default).
Note: Leave at least one account with administrator rights enabled.
3) Please check if the following procedure exists:
sp_sql_management
Check also for the following functions:
GetVersion
MasterProfiler
ProgramStatus
SqlManagement
SqlManagementStatus
TaskProgramStatus
And the following assembly:
Microsoft.SqlServer.Management
4) If they are present and you are sure that they are malicious, then run the following T-SQL script to remove them:
USE [master]
GO
DROP PROCEDURE [dbo].[sp_sql_management]
GO
DROP FUNCTION [GetVersion]
DROP FUNCTION [MasterProfiler]
DROP FUNCTION [ProgramStatus]
DROP FUNCTION [SqlManagement]
DROP FUNCTION [SqlManagementStatus]
DROP FUNCTION [TaskProgramStatus]
GO
DROP ASSEMBLY [Microsoft.SqlServer.Management]
GO
5) In some cases, it is also necessary to reload the SQL Server service to close all processes in the memory.
- Make sure you have installed the updates according to this article: MS16-136, CVE-2020-0618 and CVE-2019-1068
7) Also, don't forget to change all passwords.