A "bot" -- a piece of malicious software that can spread and function much like a computer virus 
or
worm -- is seizing on vulnerable MySQL database software running on Windows systems to spread and scan for new
victims.
While the MySQL Bot, also known as the Spool CLC, is mitigated by the limited number of Windows 
machines
running MySQL, it managed to infect nearly 10,000 machines with an initial breakout, according to security experts.
The bot was the basis of an advisory from the SANS Institute's Internet Storm Center, which indicated the malware was using the UDF Dynamic Library exploit to attack, employing a "brute force" password-breaking method of entry into systems. Once connected, the bot creates a table, writes an executable into the table, and then creates a MySQL function to load and run itself.
Plant and Spread
Once the bot has infected a system, SANS said, it attempts to connect to a number of Internet Relay Chat (IRC) servers, which at the time of the SANS posting were busy and unable to accept new connections. However, the security group said that its last check indicated about 8,500 hosts were connected to the bot's IRC servers.
SANS said the bot would then use the IRC servers to scan random Internet protocol (IP) addresses for MySQL server installations.
The bot is a version of "Wootbot" and apparently includes usual bot features such as a distributed denial of service (DDoS) engine, various scanners, and commands to solicit information -- system stats, software registration keys and other data -- from infected systems.
SANS said the bot also featured an FTP server and a "backdoor" for control, and that it appeared to be listening on a number of different ports.
Bot Business
Ken Dunham, iDefense director of malicious code intelligence, told TechNewsWorld the MySQL bot was part of a
growing family of backdoor software programs that are
appearing alongside a variety of new software
exploits.
"Like a lot of different bots, it's not just one thing," Dunham said. "It's very powerful."
The analyst said the MySQLbot was reflective of a worsening security situation that was being perpetuated by increased software vulnerabilities as well as by profit motive for attacks.
According to Dunham, the attackers might be stealing information such as software keys and passwords to sell to piracy groups, or perhaps are themselves involved in piracy. There is also the possibility of "bot armies," groups of 10,000-30,000 compromised systems that are used for various types of attacks, as well as for sending spam.
"They are getting the exploit codes that are out there," Dunham said of the attackers. "It's very opportunistic. They're just saying, 'I'm going to throw in there whatever I can get here or there,' and they're doing it with success. They've got this down to a business."
Ammunition Adds Up
Dunham speculated the bot outbreak might be an effort by piracy groups to get software activation codes and passwords. He added that it is not difficult for attackers to assemble a variety of exploits that have multiple ways of successfully compromising computers.
"It's all functional against Windows, so why not just copy and paste and you're done," he said. "These guys are ready and armed."
The bots and
attacks are likely to continue, given the number of
vulnerabilities and unprotected machines.
"We will see a rash of these multiple version
[bots] occurring," he said. "There's a lot of
firepower out there."
Talkback: 
