Worm hijacks open source database

Thousands of poorly protected Windows machines running MySQL are being infected with a worm which could facilitate a massive denial-of-service attack
Written by Dan Ilett, Contributor

Security experts have warned that thousands of Windows machines running MySQL around the world could be press-ganged into launching a denial-of-service attack that could bring down the Web site of a company the size of Microsoft.

A worm, dubbed MySpool by security organisation SANS, is spreading rapidly amongst the MySQL user base. It automatically exploits MySQL servers and subsequently infects Windows systems when triggered by an Internet Relay Chat (IRC) server located in Sweden.

Malware monitoring company Prevx has been watching the worm spread on the Internet since the first sighting on Tuesday. According to MySQL there are around five million installations of the open source database globally.

MySpool is thought to be recruiting thousands of machines for a potential denial-of-service attack which work by using compromised computers acting cooperatively to flood a target with data and disable it. Cyberciminals used the threat of such attacks to blackmail several high-profile online betting companies last year.

Earlier today, Prevx said the network of infected computers was increasing by a hundred a minute and had grown big enough to execute a denial-of-service attack that could bring down a company of Microsoft's size.

"This uses a new vulnerability on MySQL," said Jacques Erasmus, a security consultant for Prevx. "This is a zero-day exploit that infects machines using SQL injections. It is focussed on corporate users not home users. It's spread quite fast. I think as MySQL is popular, it would be wise not have them deployed in front of Web servers. That's fairly common sense, but lots of people don't know that."

Although experts are still unclear on exactly how the infection mechanism works, machines running almost all versions of MySQL accepting inbound connections from hosts on application port 3306 are said to be vulnerable.

MySpool, which runs a file called spoolcll.exe, enters MySQL servers through a SQL injection vulnerability, copies itself to the directory: "%systemdrive%\appl\develop\mysql\data\" and gives itself a random eight-character file name. When the programme is run from a remote IRC server, it randomly reassigns ports and starts a Trojan, allowing hackers to access computers and listen to traffic. It then performs an IP scan looking for other computers to infect and begins another process of SQL injections.

Security researcher Secunia said it is still researching the worm but the vulnerability the worm exploited looked new.

SANS is still researching the worm, but has advised administrators not to expose any MySQL servers to unsolicited connections and to block port 3306.

At the time of writing, neither Symantec, Trend Micro, McAfee, Kaspersky, F-Secure or Sophos had posted information about spoolcll.exe on their Web sites.

Update: Since this story was published, security experts have reported that MySpooler only affects Windows machines running MySQL with poor password protection for root access.

Editorial standards