You are here: silicon.com > Software > Malware

Malware

Virus hijacks open source servers

Could bring down 'company the size of Microsoft...'

Tags: myspool, prevx, mysql

By Dan Ilett

Published: 28 January 2005 08:40 GMT

Security experts have warned that thousands of MySQL servers around the world could be press-ganged into launching a denial-of-service (DoS) attack that could bring down the website of a company the size of Microsoft.

A worm, dubbed MySpool by security organisation SANS, is spreading rapidly among the MySQL user base. It automatically exploits MySQL servers and subsequently infects Windows systems when triggered by an Internet Relay Chat (IRC) server located in Sweden.

Malware monitoring company Prevx has been watching the worm spread on the internet since the first sighting on Tuesday. According to MySQL there are around five million installations of the open source database globally.

MySpool is thought to be recruiting thousands of machines for a potential DoS attack. Such attacks work by using compromised computers acting cooperatively to flood a target with data and disable it. Cyberciminals used the threat of DoS attacks to blackmail several high-profile online betting companies last year.

Earlier today, Prevx said the network of infected computers was increasing by 100 per minute and had grown big enough to execute a DoS attack that could bring down a company of Microsoft's size.

Jacques Erasmus, a security consultant for Prevx, said: "This uses a new vulnerability on MySQL. This is a zero-day exploit that infects machines using SQL injections. It is focused on corporate users not home users. It's spread quite fast. I think as MySQL is popular, it would be wise not have them deployed in front of web servers. That's fairly common sense, but lots of people don't know that."

Although experts are still unclear on exactly how the infection mechanism works, machines running almost all versions of MySQL accepting inbound connections from hosts on application port 3306 are said to be vulnerable.

MySpool, which runs a file called spoolcll.exe, enters MySQL servers through a SQL injection vulnerability, copies itself to the directory: "%systemdrive%\appl\develop\mysql\data\" and gives itself a random eight-character file name. When the programme is run from a remote IRC server, it randomly reassigns ports and starts a Trojan, allowing hackers to access computers and listen to traffic. It then performs an IP scan looking for other computers to infect and begins another process of SQL injections.

Security researcher Secunia said it is still researching the worm but that the vulnerability the worm exploited looked new.

SANS is still researching the worm, but has advised administrators not to expose any MySQL servers to unsolicited connections and to block port 3306.

At the time of writing, neither Symantec, Trend Micro, McAfee, Kaspersky, F-Secure or Sophos had posted information about spoolcll.exe on their websites.

Dan Ilett writes for ZDNet UK.

  1. Zones
  2. Management
  3. Networks
  4. Software
  5. IT Services
  6. Hardware
  1. Verticals
  2. Public Sector
  3. Financial Services
  4. Retail & Leisure

  • Jobs
PHP, MYSQL OOP Developer, Large Travel Operator, Kent

PHP, MYSQL, OOP Developers for a very large and well known tour operator based in Kent, 20 mins out of Waterloo. The successful candidates for this ...

Internet Operations Analysts

Working alongside and sharing ideas with similar experts. Our targets use of computers has become smarter, more varied and agile. Internet Operations ...

Systems Administrator (London Knowledge Lab)

You will need experience in server management and maintaining a Content Management System, access to networked services and the desktop machines used ...

CIO50 2008
The silicon.com CIO50 2008 profiles the most influential and innovative tech chiefs in the UK across all industries and organisation size, from the biggest FTSE100 companies to high growth dot-com start ups and the public sector. The list was voted on by the UK CIO community and a panel of experts. Find out more in our latest special report.





Quick Sitemap Links: