MySQL worm hits Windows systems

By Robert Lemos, News.com
Posted on ZDNet News: Jan 27, 2005 8:54:00 PM

A worm that takes advantage of administrators' poor password choices has started spreading among database systems.

The malicious program, known as the "MySQL bot" or by the name of its executable code, SpoolCLL, infects computers running the Microsoft Windows operating system and open-source database known as MySQL, the Internet Storm Center said in an advisory published Thursday. Early indications suggest that more than 8,000 computers may be infected so far, said the group, which monitors network threats.

The worm gets initial access to a database machine by guessing the password of the system administrator, using common passwords. It then uses a flaw in MySQL to run another type of program, known as bot software, which then takes full control of the system.

Related feature
Password imperfect

Passwords have moved from a security measure to a security risk, Microsoft says.

"A long list of passwords is included with the bot, and the bot will brute-force the password," the Internet Storm Center said in its advisory.

Because it infects Windows systems running database software, the program resembles the Slammer worm, which spread widely nearly two years ago. However, unlike Slammer, a well-chosen password is protection against SpoolCLL, according to current analyses.

Moreover, the MySQL database is much more commonly installed alongside open-source operating systems, such as Linux. That means only a small fraction of computers connected to the Internet could be compromised by the MySQL bot.

The flaw used by the worm to gain control of a vulnerable system was discovered in mid-2004, and code to take advantage of the flaw was published in late December. Known as the MySQL UDF Dynamic Libray flaw, the vulnerability occurs because the database software does not do adequate security checks on user-defined functions (UDFs). It's not clear whether the bug has been fixed.

Computers taken over by the bot will attempt to connect to one of several Internet Relay Chat servers to obtain new targets and updates, the Internet Storm Center said. A survey of the IRC servers found 8,500 hosts connected, suggesting that many computers had been infected, though researchers were careful to qualify the number.

"This bot could use other mechanisms to spread," said Joe Stewart, a senior researcher at security firm LURHQ and a contributor to the Internet Storm Center analysis. "We can't say for sure that all 8,500 computers were infected by this particular exploit."

SponsoredWhite Papers, Webcasts, and Downloads

Talkback
Most Recent of 127 Talkback(s)

Thread View
Flat View

holas: como estan todos (Read the rest); Posted by: adrian-797@... Posted on: 04/23/08 You are currently: Logged In | Log out

Flaw in MySQL? rapson | 01/27/05

Flaw dwest_z | 01/27/05

Re: Flaw alterego_z | 01/27/05

Please tell me what Microsoft can do to fix this? NonZealot | 01/27/05

You may know more about this than I do enduser_z | 01/27/05

logging in as admin standard deepee912 | 01/28/05

re: logging in as admin standard bgoss@... | 01/28/05

MySQL on OS X Immanuel Tranz-Mischen | 01/29/05

Try this seosamh_z | 01/28/05

It's not all Microsoft's fault voska | 01/28/05

Yes it is. Immanuel Tranz-Mischen | 01/29/05

I find MS at least partially at fault. DMalone780 | 02/02/05

Sounds like a weakness in MySQL, not Windows NonZealot | 01/27/05

then why not do it? linuxoverwindows | 01/27/05

You would have to ask the incompetent MySQL admin. (NT) NonZealot | 01/27/05

linuxoverwindows | 01/27/05

No, is an user flaw... gabriele@... | 01/27/05

the windows flaw is: linuxoverwindows | 01/27/05

What a great quote! NonZealot | 01/27/05

As A Converted Microsoft OS User... jbx233 | 01/27/05

Good for you, 2 comments though PA-ITGuy | 01/28/05

You are going to set up their accts? deepee912 | 01/28/05

from an ex-simple user greg@... | 02/01/05

Au contraire richdave | 01/27/05

fortunately linuxoverwindows | 01/27/05

And why can't it? rapson | 01/28/05

Yes...they can and should. IT Scion | 01/28/05

Re: Flaw Xojo | 01/28/05

Read the alert from MySQL Expatriate US Geek | 01/28/05

Win specific IT Scion | 01/28/05

Can you name one Immanuel Tranz-Mischen | 01/30/05

Sure, I can name one Sxooter_z | 02/02/05

Flaw in MySQL? - Impossible! PMC-CON | 01/28/05

apparently the "airhead" is you Monkey_MCSE | 01/28/05

It IS a MySQL flaw Erik1234 | 01/28/05

So, what you're saying is... Immanuel Tranz-Mischen | 01/30/05

not exactly Erik1234 | 01/31/05

Apple MUST MAKE MORE MAC MINI'S!!! snicker! Laff | 01/27/05

ewww! linuxoverwindows | 01/27/05

Robert Lemos "THEY SET US UP THE BOMB!" chiwawa | 01/27/05

Its confusing.. vdraken | 01/27/05

and... linuxoverwindows | 01/27/05

Why apologize ShadeTree | 01/27/05

!?!? chiwawa | 01/27/05

Heres more info.. widge_z | 01/28/05

For a second I was worried Chad_z | 01/27/05

dont worry... linuxoverwindows | 01/27/05

CIOs who deply Windows should be sued for criminal negligence Seething Ganglia | 01/27/05

as long as it takes linuxoverwindows | 01/27/05

RE: as long as it takes Duke E. Love | 01/27/05

When htotten | 01/27/05

You did understand that the problem here is... ShadeTree | 01/27/05

Free Tools? PMC-CON | 01/28/05

Nothing is Free jmtull | 02/03/05

MySQL? What's That???!??? itanalyst | 01/27/05

I can't believe it. MySQL has threatened Windows mojoman_x@... | 01/27/05

Fale bait? b$ | 02/02/05

MSQL??? cardinal33 | 01/27/05

Definition: mactolinux | 01/28/05

This is choice! ShadeTree | 01/27/05

NonNonZealot chimes in Jay Cash | 01/27/05

choice! dwest_z | 01/28/05

I'll agree with that rapson | 01/28/05

Reported at isc.sans.org eduardo.carriles@... | 01/27/05

A Bad Combination Hugh Jass | 01/27/05

Good summary! b$ | 02/02/05

In the words of my favorite TV Character nucrash | 01/27/05

"Flaw" in MySQL code_flogger | 01/28/05

So, Where Would You Find Inexperience SysAdmins? PMC-CON | 01/28/05

Too true rapson | 01/28/05

Could not agree more! DMalone780 | 02/02/05

Critical Detail..... widge_z | 01/28/05

Wrong PA-ITGuy | 01/28/05

Wrong??? widge_z | 01/28/05

see... PA-ITGuy | 01/28/05

Thanks... widge_z | 01/28/05

Heres the link, sorry widge_z | 01/28/05

Thanks PA-ITGuy | 01/28/05

Wait a week... widge_z | 01/28/05

Re: You are going to set up their accts? jbx233 | 01/28/05

The OSS crowd will use any means to bash �Windoze� Duke E. Love | 01/28/05

MY SQL BOT jglenn66 | 01/29/05

Open source is the key born2btechnical | 01/31/05

Why blame Open Source aniruddhand@... | 01/31/05

Blaming Open Source born2btechnical | 01/31/05

Not really hawkeyeaz1 | 02/02/05

Are you for real? kevmiller | 02/02/05

Can't you read? sfaid | 02/02/05

Yes, Open Source is the focus of all the world's evils... bill@... | 02/02/05

born2bclueless RealNonZealot | 02/02/05

Not really Sxooter_z | 02/02/05

Open source isn't like leaving the door open.. Tygur_z | 02/02/05

You apparently didn't read the article.... jkozura_z | 02/02/05

born2bstupid kevmiller | 02/02/05

Documentation is the key Gregory.J.Bradley@... | 02/02/05

Blame service providers, not software writers... PhilippeV | 02/03/05

MySQL Flaw, now Windows DonPMitchell@... | 01/31/05

No, Password flaw (admin laziness) hawkeyeaz1 | 02/02/05

SQL Mag loves this Worm Sikosis-TheRealOne | 01/31/05

Definitely NOT a Windows issue htotten | 02/02/05

Open source considered harmful? brun@... | 02/02/05

MySQL vs. Oracle b$ | 02/02/05

Open source is now to blame for a Windows flaw? prisoner@... | 02/02/05

Worms and other malware L_Hanson | 02/02/05

MySQL Worms & Open Source MntnMn | 02/02/05

Don't let facts stand in the way of your prejudices! b$ | 02/02/05

blame where it belongs jrpro@... | 02/02/05

TALK ABOUT LEADING QUESTIONS! daver_z | 02/02/05

Tells you where CNET loyalty lies. daver_z | 02/02/05

Makes you wonder where it originated. daver_z | 02/02/05

Open Source is not the Problem jacartaya@... | 02/02/05

open source fault?? segurajohn@... | 02/02/05

Passwords Happy Puppy | 02/02/05

Worms invading your operating system krismartin56 | 02/02/05

spellcheck krismartin56 | 02/02/05

Open Source vs "Closed" Source Wnpauls | 02/02/05

What MySQL.com says about exploit eduardo.carriles@... | 02/02/05

The Problem Begins at Stupidity Not Open Source mcrute | 02/02/05

don't blame it on open source sdrose2 | 02/02/05

exploiting bad administration dkloke@... | 02/02/05

re-open source causing the worms veryspecialladie@... | 02/02/05

What Flaw? Gregory.J.Bradley@... | 02/02/05

What Flaw? g3wzr | 02/03/05

What flaw? jmtull | 02/03/05

Is etc? bargeemike | 02/03/05

It uses a dictionary attack. agottschald | 02/03/05

holas adrian-797@... | 04/23/08

What do you think?

Premier Vendor Content Whitepapers, webcasts & resources from our Power Center Sponsors

SponsoredWhite Papers, Webcasts, and Downloads

BNET Industries
Check out BNET's newest resource for managers and executives. Need to do research on your competitors? Don't have time to read every trade pub? BNET Industries is the new source for daily news, insights, and research on 11 major industries and 9,000 public companies.
The technology industry from a different angle
See what's hot in the auto industry
Stay on top of the energy industry