MySQL Attack Signals ‘Bot’ Trouble

A “bot” — a piece of malicious software that can spread and function much like a computer virus orworm — is seizing on vulnerable MySQL database software running on Windows systems to spread and scan for newvictims.

While the MySQL Bot, also known as the Spool CLC, is mitigated by the limited number of Windows machinesrunning MySQL, it managed to infect nearly 10,000 machines with an initial breakout, according to security experts.

The bot was the basis of an advisory from the SANS Institute’s Internet Storm Center, which indicated the malware was using the UDF Dynamic Library exploit to attack, employing a “brute force” password-breaking method of entry into systems. Once connected, the bot creates a table, writes an executable into the table, and then creates a MySQL function to load and run itself.

Plant and Spread

Once the bot has infected a system, SANS said, itattempts to connect to a number of Internet Relay Chat(IRC) servers, which at the time of the SANS posting were busy and unable to acceptnew connections.However, the security group said that its lastcheck indicated about 8,500 hosts were connected tothe bot’s IRC servers.

SANS said the bot would then use the IRC servers toscan random Internet protocol (IP) addresses for MySQLserver installations.

The bot is a version of”Wootbot” and apparently includes usual bot featuressuch as a distributed denial of service (DDoS) engine,various scanners, and commands to solicit information — system stats, softwareregistration keys and other data –from infected systems.

SANS said the bot also featured an FTP server and a”backdoor” for control, and that it appeared to be listeningon a number of different ports.

Bot Business

Ken Dunham, iDefense director of malicious code intelligence, told TechNewsWorld the MySQL bot was part of agrowing family of backdoor software programs that areappearing alongside a variety of new softwareexploits.

“Like a lot of different bots, it’s not just onething,” Dunham said. “It’s very powerful.”

The analyst said the MySQLbot was reflective of aworsening security situation that was beingperpetuated by increased software vulnerabilities as well as by profit motive for attacks.

According to Dunham, the attackers might be stealing information such as software keys andpasswords to sell to piracy groups, or perhaps are themselves involved in piracy. There is also the possibility of “bot armies,” groups of 10,000-30,000 compromised systems that are used for various types of attacks, as well as for sending spam.

“They are getting the exploit codes that are outthere,” Dunham said of the attackers. “It’s very opportunistic. They’rejust saying, ‘I’m going to throw in there whatever Ican get here or there,’ and they’re doing it withsuccess. They’ve got this down to a business.”

Ammunition Adds Up

Dunham speculated the bot outbreak might be an effort by piracy groups to get software activation codes and passwords. He added that it is not difficult for attackers to assemble a variety of exploits that have multiple ways of successfully compromising computers.

“It’s all functional against Windows, so why notjust copy and paste and you’re done,” he said. “Theseguys are ready and armed.”

The bots andattacks are likely to continue, given the number ofvulnerabilities and unprotected machines.”We will see a rash of these multiple version[bots] occurring,” he said. “There’s a lot offirepower out there.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels