MySQL Malware Just Wants To Chat

According to a report posted on the SANS Institute's Internet Storm Center site by SANS chief technology office Johannes Ullrich, the attacking code is a variant of an existing strain of nework "bot" known as "Wootbot." This variant is especially notable, said experts, since it is one of the first to target MySQL.

As with similar types of malware, the bot runs in the background, allowing MySQL to run normally while it contacts a remote Internet Relay Chat (IRC) server for additional instructions. In the report, Ullrich states that the bots' target IRC server was busy and unable to accept new connections when researchers last attempted to contact it. On earlier attempts, the IRC server showed around 8,500 connections, all of them likely due to infected MySQL installations.

According to Ullrich, the bot includes featues often found with this type of malware, including a DDoS (Distributed Denial of Service) capability, backdoor access to the server, and instructions to gather software keys and other sensitive information. Currently, however, none of these features are active; the only action the bot takes is to scan the Internet and local networks looking for vulnerable MySQL installations to infect.

The bot surfaced Wednesday, when a developer on an Australian Web forum reported an unknown application named "spoolcll.exe" that repeatedly tried to contact an IRC server in Sweden.

The bot, Ullrich noted, does not exploit a weakness in the MySQL code; rather, it carries a list of common passwords and launches a brute-force attack to access the root MySQL account. Administrators who use strong passwords, allow root access only from the local host, and apply strict firewall rules are unlikely to be compromised, he stated.

Unix and Linux systems running MySQL currently are not at risk from the bot.

MySQL, made by Swedish firm MySQL AB, is a popular open-source database often used to serve dynamically generated Web content or Web-based applications. According to MySQL AB, more than 5 million copies of the database are installed worldwide, including both Windows and non-Windows versions.