MySQL worm attacks Windows servers
Batten down the hatches
A worm exploiting vulnerable installations of MySQL to take over Windows servers began spreading across the net yesterday. The MySpooler worm takes advantage of weak administrative passwords to log onto target systems before using the MySQL UDF Dynamic Library exploit to upload malicious code (a backdoor program called Wootbot).
Compromised systems log onto an IRC channel, becoming drones in a zombie network currently programmed to hunt for fresh victims. Intrusion firm PrevX reckons the worm infected 4,500 systems per hour in the early hours of its outbreak, a rapid spread evidenced by an upsurge in port 3306 scans associated with the worm.
The MySQL open source database is available in Unix and Windows flavours but only Windows machines running MySQL 4.0.21 or later are been exploited in the attack. The SANS Institute has put together an analysis of the malware along with suggested defence strategies. Blocking port 3306 on firewalls, restricting access to root accounts and making sure strong passwords resistant to brute force attack are all strongly recommended. ®