Virus hijacks open source servers

Security experts have warned that thousands of MySQL servers around the world could be press-ganged into launching a denial-of-service (DoS) attack that could bring down the website of a company the size of Microsoft.

A worm, dubbed MySpool by security organisation SANS, is spreading rapidly among the MySQL user base. It automatically exploits MySQL servers and subsequently infects Windows systems when triggered by an Internet Relay Chat (IRC) server located in Sweden.

Malware monitoring company Prevx has been watching the worm spread on the internet since the first sighting on Tuesday. According to MySQL there are around five million installations of the open source database globally.

MySpool is thought to be recruiting thousands of machines for a potential DoS attack. Such attacks work by using compromised computers acting cooperatively to flood a target with data and disable it. Cyberciminals used the threat of DoS attacks to blackmail several high-profile online betting companies last year.

Earlier today, Prevx said the network of infected computers was increasing by 100 per minute and had grown big enough to execute a DoS attack that could bring down a company of Microsoft's size.

Jacques Erasmus, a security consultant for Prevx, said: "This uses a new vulnerability on MySQL. This is a zero-day exploit that infects machines using SQL injections. It is focused on corporate users not home users. It's spread quite fast. I think as MySQL is popular, it would be wise not have them deployed in front of web servers. That's fairly common sense, but lots of people don't know that."

Although experts are still unclear on exactly how the infection mechanism works, machines running almost all versions of MySQL accepting inbound connections from hosts on application port 3306 are said to be vulnerable.

MySpool, which runs a file called spoolcll.exe, enters MySQL servers through a SQL injection vulnerability, copies itself to the directory: "%systemdrive%\appl\develop\mysql\data\" and gives itself a random eight-character file name. When the programme is run from a remote IRC server, it randomly reassigns ports and starts a Trojan, allowing hackers to access computers and listen to traffic. It then performs an IP scan looking for other computers to infect and begins another process of SQL injections.

Security researcher Secunia said it is still researching the worm but that the vulnerability the worm exploited looked new.

SANS is still researching the worm, but has advised administrators not to expose any MySQL servers to unsolicited connections and to block port 3306.

At the time of writing, neither Symantec, Trend Micro, McAfee, Kaspersky, F-Secure or Sophos had posted information about spoolcll.exe on their websites.

Dan Ilett writes for ZDNet UK.