Manage updates with the Download App
January 27, 2005 12:54 PM PST
MySQL worm hits Windows systems
- Related Stories
-
Seeds of destruction
January 15, 2004 -
A 20-year plague
November 25, 2003 -
Damage control
February 6, 2003
The malicious program, known as the "MySQL bot" or by the name of its executable code, SpoolCLL, infects computers running the Microsoft Windows operating system and open-source database known as MySQL, the Internet Storm Center said in an advisory published Thursday. Early indications suggest that more than 8,000 computers may be infected so far, said the group, which monitors network threats.
The worm gets initial access to a database machine by guessing the password of the system administrator, using common passwords. It then uses a flaw in MySQL to run another type of program, known as bot software, which then takes full control of the system.
Password imperfect
"A long list of passwords is included with the bot, and the bot will brute-force the password," the Internet Storm Center said in its advisory.
Because it infects Windows systems running database software, the program resembles the Slammer worm, which spread widely nearly two years ago. However, unlike Slammer, a well-chosen password is protection against SpoolCLL, according to current analyses.
Moreover, the MySQL database is much more commonly installed alongside open-source operating systems, such as Linux. That means only a small fraction of computers connected to the Internet could be compromised by the MySQL bot.
The flaw used by the worm to gain control of a vulnerable system was discovered in mid-2004, and code to take advantage of the flaw was published in late December. Known as the MySQL UDF Dynamic Libray flaw, the vulnerability occurs because the database software does not do adequate security checks on user-defined functions (UDFs). It's not clear whether the bug has been fixed.
Computers taken over by the bot will attempt to connect to one of several Internet Relay Chat servers to obtain new targets and updates, the Internet Storm Center said. A survey of the IRC servers found 8,500 hosts connected, suggesting that many computers had been infected, though researchers were careful to qualify the number.
"This bot could use other mechanisms to spread," said Joe Stewart, a senior researcher at security firm LURHQ and a contributor to the Internet Storm Center analysis. "We can't say for sure that all 8,500 computers were infected by this particular exploit."
8 comments
Join the conversation! Add your comment
But don't worry, they becoming to a mac near you soon.
lol Love saying that.
But on a serious note, do you remember when windows was reported to be the OS that viruses couldn't touch. I find it funny people saying that about Mac's OS now ;P.
The flaw is with MySQL, so it seems that as open source gains popularity, it also gains attention, and has some of the same issues as other, larger companies.
Anyone know if this flaw exists on other platforms? The 'MySQL UDF Dynamic Libray flaw' documentation looks like Linux, but I am unsure.
Here is the link
<a class="jive-link-external" href="http://dev.mysql.com/tech-resources/articles/security_alert.html" target="_newWindow">http://dev.mysql.com/tech-resources/articles/security_alert.html</a>
However, they could add a delay time after a failed login before you could have new try. And increase that time exponentially for each consequtive failed login attempt.
This would give this kind of attacks much less chance of succeding