Worm currently exploiting MySQL on Windows
Posted by akamu
on
(7267 views)
UNIRAS (UK Gov CERT)
Advisory Type: Alert
Id: 20050128-00078 Ref: 09/2005 Date: 28 January 2005 Time: 09:10
Abstract: The worm installs a malicious trojan executable spoolcll.exe in the System32 directory. spoolcll.exe is installed as a new service "Event Monitor".
Vendors affected: Microsoft
Operating Systems affected: Windows
Applications/Services affected: MySQL
Impact: Denial of service
Advisory Type: Alert
Id: 20050128-00078 Ref: 09/2005 Date: 28 January 2005 Time: 09:10
Abstract: The worm installs a malicious trojan executable spoolcll.exe in the System32 directory. spoolcll.exe is installed as a new service "Event Monitor".
Vendors affected: Microsoft
Operating Systems affected: Windows
Applications/Services affected: MySQL
Impact: Denial of service
Detail
======
The worm installs a malicious trojan executable spoolcll.exe in the
System32 directory. spoolcll.exe is installed as a new service "Event
Monitor".
AL-2005.002 -- AUSCERT ALERT
New worm currently exploiting MySQL on Windows
28 January 2005
Product: MySQL
Operating System: Windows
Impact: Administrator Compromise
Distributed Denial of Service
Access: Remote/Unauthenticated
SUMMARY:
AusCERT has become aware of a new worm currently exploiting MySQL on
Windows systems. The worm infects systems using an automated attack on
weak passwords for the MySQL "root" account.
MySQL administrators are encouraged to apply the mitigation steps
below as soon as possible to prevent infection.
Non-Windows MySQL systems are not targeted by this worm, but are
vulnerable to the same attack if MySQL is running as root.
IMPACT:
The worm installs a malicious trojan executable spoolcll.exe in the
System32 directory. spoolcll.exe is installed as a new service
"Event Monitor".
spoolcll.exe connects to one of several IRC servers to receive
instructions for further action. It also sets up three listening
ports which we have observed to be on UDP port 69 and TCP ports 2314
and 2311, though these ports can vary.
The trojan can be commanded to launch distributed denial of service
attacks, remotely control the infected host, scan blocks of IP
addresses and infect further vulnerable systems.
The malicious executable installed by this worm is detected by
several antivirus products as a variant of Wootbot.
MITIGATION:
o Change to a stronger password for MySQL's "root" account.
o Configure MySQL to only accept "root" account connections from the
local host.
These two steps can be implemented using the MySQL 4.1 Server
Instance Configuration Wizard. Under "Modify Security Settings",
input a strong password and also select "Root may only connect
from localhost".
o Run MySQL as an unprivileged user. This is possible under Windows
with MySQL 4.0.17 and higher, and MySQL 4.1.2 and higher.
o Block connections from the internet to MySQL by adding a firewall
rule blocking inbound traffic to port 3306.
REFERENCES:
[1] SANS Handler's Diary January 27 2005
http://isc.sans.org/diary.php?date=2005-01-27
Comments
Another Window's worm-- why does this not surprise me?
Note: The infector (worm) is detected as "WOOTBOT". This is a know rootkit infector.
From Trend Micro:
This is Trend Micro's generic detection for unknown forms of the WOOTBOT worms.
To propagate, WOOTBOT worms are known to exploit the LSASS vulnerability present on Windows systems. The said vulnerability is a buffer overrun vulnerability that allows remote code execution, present on Windows systems. Once this vulnerability is successfully exploited, a malicious user is able to gain full control over the target system.