MySQL under attack from bot
The world’s most popular open source database is under attack from a bot. The UDF worm – so-called because it uses a User Defined Function that allows developers to build their own customised functions is spreading rapidly on instances of MySQL running on Windows.
The worm is exploiting security vulnerabilities on Windows to propagate. MySQL says therefore the worm is unlikely to appear on systems running Unix or Linux.
According to the SANS Internet Storm Centre, which monitors outbreaks of malware, the bot has infected several thousand systems in all. The bot appears to be a variant of `Wootbot` and includes a DDoS (distributed denial of service) engine, scanners, commands to extract information like system stats and software registration keys from infected systems.
Once it has found another MySQL server on the Internet it will attempt to authenticate itself as a ‘root user` through brute force via a preset list of passwords. A poorly configured server with little firewall protection and an obvious password or none will be compromised and infected with the UDF code. That machine will then attempt to log on to an IRC server to receive instructions for further propagation.
The worry is that the IRC servers that are used to issue instructions are being swamped and many servers have not received commands, as they are unable to log in yet. The widespread popularity of MySQL means that thousands of compromised machines may be waiting to spread the bot.
MySQL and SANS ISC emphasise that this is not a weakness in MySQL but in a weak root account. System administrators should check whether their servers are scanning for IRC servers and should beef up their passwords if they suspect them to be easily compromised.