Worm currently exploiting MySQL on Windows

Posted by akamu on 2005-03-17 00:38:39 (7822 views)

UNIRAS (UK Gov CERT) Advisory Type: Alert Id: 20050128-00078 Ref: 09/2005 Date: 28 January 2005 Time: 09:10 Abstract: The worm installs a malicious trojan executable spoolcll.exe in the System32 directory. spoolcll.exe is installed as a new service "Event Monitor". Vendors affected: Microsoft Operating Systems affected: Windows Applications/Services affected: MySQL Impact: Denial of service

Detail ====== The worm installs a malicious trojan executable spoolcll.exe in the System32 directory. spoolcll.exe is installed as a new service "Event Monitor". AL-2005.002 -- AUSCERT ALERT New worm currently exploiting MySQL on Windows 28 January 2005 Product: MySQL Operating System: Windows Impact: Administrator Compromise Distributed Denial of Service Access: Remote/Unauthenticated SUMMARY: AusCERT has become aware of a new worm currently exploiting MySQL on Windows systems. The worm infects systems using an automated attack on weak passwords for the MySQL "root" account. MySQL administrators are encouraged to apply the mitigation steps below as soon as possible to prevent infection. Non-Windows MySQL systems are not targeted by this worm, but are vulnerable to the same attack if MySQL is running as root. IMPACT: The worm installs a malicious trojan executable spoolcll.exe in the System32 directory. spoolcll.exe is installed as a new service "Event Monitor". spoolcll.exe connects to one of several IRC servers to receive instructions for further action. It also sets up three listening ports which we have observed to be on UDP port 69 and TCP ports 2314 and 2311, though these ports can vary. The trojan can be commanded to launch distributed denial of service attacks, remotely control the infected host, scan blocks of IP addresses and infect further vulnerable systems. The malicious executable installed by this worm is detected by several antivirus products as a variant of Wootbot. MITIGATION: o Change to a stronger password for MySQL's "root" account. o Configure MySQL to only accept "root" account connections from the local host. These two steps can be implemented using the MySQL 4.1 Server Instance Configuration Wizard. Under "Modify Security Settings", input a strong password and also select "Root may only connect from localhost". o Run MySQL as an unprivileged user. This is possible under Windows with MySQL 4.0.17 and higher, and MySQL 4.1.2 and higher. o Block connections from the internet to MySQL by adding a firewall rule blocking inbound traffic to port 3306. REFERENCES: [1] SANS Handler's Diary January 27 2005 http://isc.sans.org/diary.php?date=2005-01-27

Comments

by Nuance

on Thursday, March 17, 2005 (02:17:47)

Another Window's worm-- why does this not surprise me?

by Jeruvy

on Monday, April 11, 2005 (13:45:29)

Note: The infector (worm) is detected as "WOOTBOT". This is a know rootkit infector.

From Trend Micro:

This is Trend Micro's generic detection for unknown forms of the WOOTBOT worms.

To propagate, WOOTBOT worms are known to exploit the LSASS vulnerability present on Windows systems. The said vulnerability is a buffer overrun vulnerability that allows remote code execution, present on Windows systems. Once this vulnerability is successfully exploited, a malicious user is able to gain full control over the target system.

Reply Anonymous ( Login | Register )