Bot infects thousands of MySQL PCs

Security experts have discovered a malicious automated bot designed to attack and take over vulnerable installations of the popular MySQL database running on Windows.

According to a warning from the Internet Storm Center (ISC) on the website of IT security watchdog SANS Institute, the bot has infected a "few thousand systems so far". The ISC identified it as a version of 'Wootbot'.

"It appears to include the usual set of bot features, like a distributed denial of service engine, various scanners, and commands to solicit information from infected systems (e.g. system stats, software registration keys and such). The bot provides an FTP server and a backdoor," said the ISC.

The bot uses the 'MySQL UDF Dynamic Library Exploit', but in order to launch this exploit the malicious code has to authenticate to MySQL as a 'root' user and contains a long list of words to execute brute force password attacks.

"Once connected, the bot will create a table called 'bla' using the database 'mysql', which is typically used to store administrative information like passwords, and is part of every MySQL install. The only field in this database is a binary large object named 'line'," the ISC warning stated.

"Once the table is created, the executable is written into the table using an insert statement. The content is then written to a file called 'app_result.dll' using 'select * from bla into dumpfile app_result.dll'. The 'bla' table is dropped once the file is created."

After successfully infecting a system, the bot attempts to connect to one of several IRC servers on port 5002 or 5003 using dynamic DNS so that the IP addresses are not constant.

IT and network managers are advised to set a strong password on the root account, restrict access to root as much as is practically possible and apply firewall rules to block ports used by the malicious code.

A one page cheat-sheet explaining how to set up passwords and disable network access in MySQL can be downloaded from the SANS Institute here.