Security threats Toolkit

MySQL worm stopped

Tags:
MySQL,
SpoolCLL,
MySpooler

Published: 31 Jan 2005 09:15 GMT

A worm exploiting weak database passwords on Windows computers had essentially stopped spreading on Friday, after the systems infected with the program were cut off from the control of several central computers.

More than 8,000 Windows computers running the MySQL database were probably infected with the worm, referred to as MySpooler or by the name of the executable file, SpoolCLL, that the worm installs on vulnerable machines. The program did not spread on its own, but downloaded targets from IRC servers. Those have been made inaccessible, virtually stopping the worm, said Oliver Friedrichs, senior manager for incident response at security technology maker Symantec.

"We are just seeing residual infections," Friedrichs said. "The worm cannot connect to those servers, so it has lost its control channel. Without those commands, the worm is not going to be able to spread."

The worm started infecting systems on Tuesday, according to Symantec's network of sensors.

While the thousands of compromised systems hardly compare to the millions of systems infected by MSBlast or hundreds of thousands compromised by Microsoft SQL Slammer, the MySQL worm is significant for a different reason: Technically, it's not a worm, but an example of bot software, designed to infect and control computers. Such programs are numerous (Symantec's catalogue holds more than 6,500) and, as the MySQL worm demonstrates, can easily be turned into programs that spread widely.

"We are seeing a real greying of the lines," Friedrichs said. "There is really a huge blur now between all the different kinds of threats."

Bot software represents a significant danger on the Internet because computers compromised by the programs can be controlled by an attacker, allowing anonymous assaults on Web sites, untraceable spam floods and a way for an attacker to steal data. Anyone attempting to trace back the malicious activity will merely find the compromised computer. Most users are unaware that their computer systems contain malicious software.

A group of computers controlled by bot software, known as bots or zombies, disrupted Internet service provider Akamai's network in June.

The MySQL worm, which Symantec refers to as Spybot.ivq, underscores the danger that far more of these programs will start to have an automated function for scanning for vulnerable systems and spreading to any potential victim found.

On Thursday, the company that develops the MySQL database software, MySQL AB, emphasized that the bot software spread by exploiting weak passwords and that MySQL runs with elevated privileges under Windows. The company's security team released an advisory outlining steps that MySQL administrators could use to identify infections and safeguard their systems.

The ability to use user-defined functions in MySQL is a feature, not a flaw, said Zack Urlocker, vice-president of marketing for MySQL.

"Although this vulnerability stems from users not setting a proper password or firewall on Windows, we take full responsibility in helping our users make sure they have a secure environment," Urlocker stated in an email interview. "This does appear to have been a Windows-only issue... It is unlikely to be an issue on Linux."

Unix-like systems, such as Linux and BSD, run server software, including the MySQL database, as a separate user, shielding many critical system functions from exploitation by such a worm.

A report from Next-Generation Security Software (NGSSoftware) published last July described the mechanism for exploiting Windows systems through the MySQL database's user-defined functions. Code to do just that was published on the Internet in December.

Microsoft was not immediately available for comment on whether the installation of code by exploiting MySQL's user-defined functions could be blocked on Windows.