MySQL worm hits Windows systems

Databases protected by weak passwords on Windows-based machines could allow a worm to spread to several thousand systems.

Robert Lemos Staff Writer, CNET News.com
Robert Lemos
covers viruses, worms and other security threats.
Robert Lemos
2 min read
A worm that takes advantage of administrators' poor password choices has started spreading among database systems.

The malicious program, known as the "MySQL bot" or by the name of its executable code, SpoolCLL, infects computers running the Microsoft Windows operating system and open-source database known as MySQL, the Internet Storm Center said in an advisory published Thursday. Early indications suggest that more than 8,000 computers may be infected so far, said the group, which monitors network threats.

The worm gets initial access to a database machine by guessing the password of the system administrator, using common passwords. It then uses a flaw in MySQL to run another type of program, known as bot software, which then takes full control of the system.

"A long list of passwords is included with the bot, and the bot will brute-force the password," the Internet Storm Center said in its advisory.

Because it infects Windows systems running database software, the program resembles the Slammer worm, which spread widely nearly two years ago. However, unlike Slammer, a well-chosen password is protection against SpoolCLL, according to current analyses.

Moreover, the MySQL database is much more commonly installed alongside open-source operating systems, such as Linux. That means only a small fraction of computers connected to the Internet could be compromised by the MySQL bot.

The flaw used by the worm to gain control of a vulnerable system was discovered in mid-2004, and code to take advantage of the flaw was published in late December. Known as the MySQL UDF Dynamic Libray flaw, the vulnerability occurs because the database software does not do adequate security checks on user-defined functions (UDFs). It's not clear whether the bug has been fixed.

Computers taken over by the bot will attempt to connect to one of several Internet Relay Chat servers to obtain new targets and updates, the Internet Storm Center said. A survey of the IRC servers found 8,500 hosts connected, suggesting that many computers had been infected, though researchers were careful to qualify the number.

"This bot could use other mechanisms to spread," said Joe Stewart, a senior researcher at security firm LURHQ and a contributor to the Internet Storm Center analysis. "We can't say for sure that all 8,500 computers were infected by this particular exploit."