MySQL worm halted

A worm exploiting weak database passwords on Windows computers had essentially stopped spreading on Friday, after the systems infected with the program were cut off from the control of several central computers.

More than 8,000 Windows computers running the MySQL database were probably infected with the worm program, referred to as the MySQL bot worm or by the name of the executable file, SpoolCLL, that the worm installs on vulnerable machines. The program did not spread on its own, but downloaded targets from several Internet relay chat (IRC) servers. Those servers have been made inaccessible, virtually stopping the worm, said Oliver Friedrichs, senior manager for incident response at security technology maker Symantec.

"We are just seeing residual infections," Friedrichs said. "The worm cannot connect to those servers, so it has lost its control channel. Without those commands, the worm is not going to be able to spread."

The worm started infecting systems on Tuesday, according to Symantec's network of sensors.

While the thousands of compromised systems hardly compare to the millions of systems infected by MSBlast or hundreds of thousands compromised by Microsoft SQL Slammer, the MySQL worm is significant for a different reason: Technically, it's not a worm, but an example of bot software, designed to infect and control computers. Such programs are numerous (Symantec's catalog holds more than 6,500) and, as the MySQL worm demonstrates, can easily be turned into programs that spread widely.

"We are seeing a real graying of the lines," Friedrichs said. "There is really a huge blur now between all the different kinds of threats."

Bot software represents a significant danger on the Internet because computers compromised by the programs can be controlled by an attacker, allowing anonymous assaults on Web sites, untraceable spam floods and a way for an attacker to steal data. Anyone attempting to trace back the malicious activity will merely find the compromised computer. Most users are unaware that their computer systems contain malicious software.

A group of computers controlled by bot software, known as bots or zombies, disrupted Internet service provider Akamai's network in June.

The MySQL worm, which Symantec refers to as Spybot.ivq, underscores the danger that far more of these programs will start to have an automated function for scanning for vulnerable systems and spreading to any potential victim found.

On Thursday, the company that develops the MySQL database software, MySQL AB, emphasized that the bot software spread by exploiting weak passwords and that MySQL runs with elevated privileges under Windows. The company's security team released an advisory outlining steps that MySQL administrators could use to identify infections and safeguard their systems.

The ability to use user-defined functions in MySQL is a feature, not a flaw, said Zack Urlocker, vice president of marketing for MySQL.

"Although this vulnerability stems from users not setting a proper password or firewall on Windows, we take full responsibility in helping our users make sure they have a secure environment," Urlocker stated in an e-mail interview. "This does appear to have been a Windows-only issue...It is unlikely to be an issue on Linux."

Unix-like systems, such as Linux and BSD, run server software, including the MySQL database, as a separate user, shielding many critical system functions from exploitation by such a worm.

A report from Next-Generation Security Software (NGSSoftware) published last July described the mechanism for exploiting Windows systems through the MySQL database's user-defined functions. Code to do just that was published on the Internet in December.

Microsoft was not immediately available for comment on whether the installation of code by exploiting MySQL's user-defined functions could be blocked on Windows.

[Dachi]

port 3306 does not require root

But most services run on ports under 1024 and do require root. This is an example of why require root privs to run < 1024 is not necessarily a more secure design.

[Johnny Mnemonic]

Not quite correct

Since these are ports reserved for priviledged
services they require "root" to bind to the port
but the services are not required to run "as"
root. In other words, a properly designed deamon
(service) must intiate as root to bind to say port
80 "http" but can serve requests with limited
priviledges. Most well designed servers run
"chrooted" to limit file system access. One
exception in the past was sendmail which had
security problems when a buffer overflow issue
gave you root access. These issues are easily
avoided by limiting priviledges. A good design
would be something like Apache that follows this
rule.

[Not Bugged]

Port binding

Some Linux distributions, Debian is one of them, will not enable binding to eternal interfaces by default. The server will only bind to the loopback address (127.0.0.1), or in the case of services like X which support UNIX domain sockets, a unix domain socket will be used. This, as well as the reduction in privelage and requirement to create a password on installation, gives increased security by default.