04:40 PM

MySQL Malware Just Wants To Chat

Security experts are tracking a new malware variant, targeting the MySQL open-source database, which has likely infected thousands of Windows systems.

Security experts are tracking a new malware variant, targeting the MySQL open-source database, which has likely infected thousands of Windows systems.

According to a report posted on the SANS Institute's Internet Storm Center site by SANS chief technology office Johannes Ullrich, the attacking code is a variant of an existing strain of nework "bot" known as "Wootbot." This variant is especially notable, said experts, since it is one of the first to target MySQL.

As with similar types of malware, the bot runs in the background, allowing MySQL to run normally while it contacts a remote Internet Relay Chat (IRC) server for additional instructions. In the report, Ullrich states that the bots' target IRC server was busy and unable to accept new connections when researchers last attempted to contact it. On earlier attempts, the IRC server showed around 8,500 connections, all of them likely due to infected MySQL installations.

According to Ullrich, the bot includes featues often found with this type of malware, including a DDoS (Distributed Denial of Service) capability, backdoor access to the server, and instructions to gather software keys and other sensitive information. Currently, however, none of these features are active; the only action the bot takes is to scan the Internet and local networks looking for vulnerable MySQL installations to infect.

The bot surfaced Wednesday, when a developer on an Australian Web forum reported an unknown application named "spoolcll.exe" that repeatedly tried to contact an IRC server in Sweden.

The bot, Ullrich noted, does not exploit a weakness in the MySQL code; rather, it carries a list of common passwords and launches a brute-force attack to access the root MySQL account. Administrators who use strong passwords, allow root access only from the local host, and apply strict firewall rules are unlikely to be compromised, he stated.

Unix and Linux systems running MySQL currently are not at risk from the bot.

MySQL, made by Swedish firm MySQL AB, is a popular open-source database often used to serve dynamically generated Web content or Web-based applications. According to MySQL AB, more than 5 million copies of the database are installed worldwide, including both Windows and non-Windows versions.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for InformationWeek Newsletters
White Papers
Current Issue
Top IT Trends to Watch in Financial Services
IT pros at banks, investment houses, insurance companies, and other financial services organizations are focused on a range of issues, from peer-to-peer lending to cybersecurity to performance, agility, and compliance. It all matters.
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
Join us for a roundup of the top stories on for the week of July 24, 2016. We'll be talking with the editors and correspondents who brought you the top stories of the week to get the "story behind the story."
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.