MySQL worm spread halted

A worm exploiting weak database passwords on Windows computers had essentially stopped spreading on Friday, after the systems infected with the program were cut off from the control of several central computers.

More than 8,000 Windows computers running the MySQL database were probably infected with the worm, referred to as MySpool or by the name of the executable file, SpoolCLL, that the worm installs on vulnerable machines. The program did not spread on its own, but downloaded targets from IRC servers. Oliver Friedrichs, senior manager for incident response at security technology maker Symantec, said those have been made inaccessible, virtually stopping the worm.

"We are just seeing residual infections," Friedrichs said. "The worm cannot connect to those servers, so it has lost its control channel. Without those commands, the worm is not going to be able to spread."

The worm started infecting systems on Tuesday, according to Symantec's network of sensors.

While the thousands of compromised systems hardly compare to the millions of systems infected by MSBlast or hundreds of thousands compromised by Microsoft SQL Slammer, the MySQL worm is significant for a different reason: technically, it's not a worm, but an example of bot software, designed to infect and control computers. Such programs are numerous (Symantec's catalogue holds more than 6,500) and, as the MySQL worm demonstrates, can easily be turned into programs that spread widely.

"We are seeing a real greying of the lines," Friedrichs said. "There is really a huge blur now between all the different kinds of threats."

Bot software represents a significant danger on the internet because computers compromised by the programs can be controlled by an attacker, allowing anonymous assaults on websites, untraceable spam floods and a way for an attacker to steal data. Anyone attempting to trace back the malicious activity will merely find the compromised computer. Most users are unaware that their computer systems contain malicious software.

A group of computers controlled by bot software, known as bots or zombies, disrupted internet service provider Akamai's network in June.

The MySQL worm, which Symantec refers to as Spybot.ivq, underscores the danger that far more of these programs will start to have an automated function for scanning for vulnerable systems and spreading to any potential victim found.

On Thursday, the company that develops the MySQL database software, MySQL AB, emphasised that the bot software spread by exploiting weak passwords and that MySQL runs with elevated privileges under Windows. The company's security team released an advisory outlining steps that MySQL administrators could use to identify infections and safeguard their systems.

Zack Urlocker, vice president of marketing for MySQL, said the ability to use user-defined functions in MySQL is a feature, not a flaw.

"Although this vulnerability stems from users not setting a proper password or firewall on Windows, we take full responsibility in helping our users make sure they have a secure environment," Urlocker stated in an email interview. "This does appear to have been a Windows-only issue... It is unlikely to be an issue on Linux."

Unix-like systems, such as Linux and BSD, run server software, including the MySQL database, as a separate user, shielding many critical system functions from exploitation by such a worm.

A report from Next-Generation Security Software (NGSSoftware) published last July described the mechanism for exploiting Windows systems through the MySQL database's user-defined functions. Code to do just that was published on the internet in December.

Microsoft was not immediately available for comment on whether the installation of code by exploiting MySQL's user-defined functions could be blocked on Windows.