January 27, 2005 12:54 PM PST

MySQL worm hits Windows systems

Related Stories

Seeds of destruction

January 15, 2004

A 20-year plague

November 25, 2003

Damage control

February 6, 2003
A worm that takes advantage of administrators' poor password choices has started spreading among database systems.

The malicious program, known as the "MySQL bot" or by the name of its executable code, SpoolCLL, infects computers running the Microsoft Windows operating system and open-source database known as MySQL, the Internet Storm Center said in an advisory published Thursday. Early indications suggest that more than 8,000 computers may be infected so far, said the group, which monitors network threats.

The worm gets initial access to a database machine by guessing the password of the system administrator, using common passwords. It then uses a flaw in MySQL to run another type of program, known as bot software, which then takes full control of the system.

Related feature
Password imperfect
Passwords have moved from a security measure to a security risk, Microsoft says.

"A long list of passwords is included with the bot, and the bot will brute-force the password," the Internet Storm Center said in its advisory.

Because it infects Windows systems running database software, the program resembles the Slammer worm, which spread widely nearly two years ago. However, unlike Slammer, a well-chosen password is protection against SpoolCLL, according to current analyses.

Moreover, the MySQL database is much more commonly installed alongside open-source operating systems, such as Linux. That means only a small fraction of computers connected to the Internet could be compromised by the MySQL bot.

The flaw used by the worm to gain control of a vulnerable system was discovered in mid-2004, and code to take advantage of the flaw was published in late December. Known as the MySQL UDF Dynamic Libray flaw, the vulnerability occurs because the database software does not do adequate security checks on user-defined functions (UDFs). It's not clear whether the bug has been fixed.

Computers taken over by the bot will attempt to connect to one of several Internet Relay Chat servers to obtain new targets and updates, the Internet Storm Center said. A survey of the IRC servers found 8,500 hosts connected, suggesting that many computers had been infected, though researchers were careful to qualify the number.

"This bot could use other mechanisms to spread," said Joe Stewart, a senior researcher at security firm LURHQ and a contributor to the Internet Storm Center analysis. "We can't say for sure that all 8,500 computers were infected by this particular exploit."

8 comments

Join the conversation!
Add your comment
Macintosh unaffected
I enjoy saying that
Posted by (24 comments )
Reply Link Flag
lol
MySQL is a windows database system, I hardly think mac's would ever be affected by this worm by.

But don't worry, they becoming to a mac near you soon.

lol Love saying that.

But on a serious note, do you remember when windows was reported to be the OS that viruses couldn't touch. I find it funny people saying that about Mac's OS now ;P.
Posted by simcity1976 (136 comments )
Link Flag
I too
Windows, the OS, is unaffected as well. I'm not used to saying that...
The flaw is with MySQL, so it seems that as open source gains popularity, it also gains attention, and has some of the same issues as other, larger companies.
Anyone know if this flaw exists on other platforms? The 'MySQL UDF Dynamic Libray flaw' documentation looks like Linux, but I am unsure.
Posted by catchall (245 comments )
Link Flag
According to MySQL...
this is not a bug in the software. I like MySQL, but this sounds a lot like a Microsoft answer. Oh, it's not us. Then again, maybe it's really not a flaw in the software. Expecially if doesn't effect any other os version.

Here is the link
<a class="jive-link-external" href="http://dev.mysql.com/tech-resources/articles/security_alert.html" target="_newWindow">http://dev.mysql.com/tech-resources/articles/security_alert.html</a>
Posted by System Tyrant (1453 comments )
Reply Link Flag
Well, it sort of isn't a bug,
and sort of it is. MySQL offers ways to make the connections safe. e.g. by use of SSL. If users don't use it, or choose bad passwords there is not much they can do.

However, they could add a delay time after a failed login before you could have new try. And increase that time exponentially for each consequtive failed login attempt.

This would give this kind of attacks much less chance of succeding
Posted by unoengborg (19 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.