Government issues MySpool alert

The National Infrastructure Security Co-ordination Centre (NISCC) has issued an alert over the MySpool worm, which threatens Windows servers with weak passwords for root access to MySQL.

NISCC, which was set up to minimise risk to the UK's critical national infrastructure from electronic attacks, posted the warning on its web ite after its Australian counterpart AusCERT alerted users to the worm. It highlighted that the worm's most destructive feature is its potential ability to facilitate massive distributed-denial-of-service attacks.

NISCC warned: "AusCERT has become aware of a new worm currently exploiting MySQL on Windows systems. The worm infects systems using an automated attack on weak passwords for the MySQL 'root' account."

"MySQL administrators are encouraged to apply the mitigation steps below as soon as possible to prevent infection. Non-Windows MySQL systems are not targeted by this worm, but are vulnerable to the same attack if MySQL is running as root," the Centre added.

MySpool is thought to be recruiting thousands of machines for distributed-denial-of-service attacks, which use compromised computers that act cooperatively to disable target machines by flooding them with data.

Although US-based security organisation SANS also has posted warnings about the worm, antivirus companies have said the worm is not a major concern because they have seen many similar worms before.

Sophos has recognised the worm as a variant of a worm nicknamed Forbot. The company said that aside from spreading across the internet, the worm also attempts to create a collective network which would allow remote hackers to launch a distributed denial-of-service attack from infected computers.

"We didn't think it was too important because we've seen before," said Mikko Hyppönen, director of antivirus research for F-Secure. "But it is more important than many others because MySQL is common and many machines connect to internet. Their typical use is databases for the web. They shouldn't really accept incoming connections, but some administrators will forget about that. So it will probably be successful in finding poorly maintained systems."

• Change to a stronger password for MySQL's "root" account.
• Configure MySQL to only accept "root" account connections from the local host.
These two steps can be implemented using the MySQL 4.1 Server Instance Configuration Wizard. Under "Modify Security Settings", input a strong password and also select "Root may only connect from localhost".
• Run MySQL as an unprivileged user. This is possible under Windows with MySQL 4.0.17 and higher, and MySQL 4.1.2 and higher.
• Block connections from the internet to MySQL by adding a firewall rule blocking inbound traffic to port 3306.