MySQL worm hits Windows systemsA worm that takes advantage of administrators' poor choice of password has started spreading among database systems.
The malicious program, known as the "MySQL bot" or by the name of its executable code, SpoolCLL, infects computers running the Microsoft Windows operating system and open-source database known as MySQL, the Internet Storm Center said in an advisory published Thursday. Early indications suggest that more than 8,000 computers may be infected so far, said the group, which monitors network threats.
The worm gets initial access to a database machine by guessing the password of the system administrator, using common passwords. It then uses a flaw in MySQL to run another type of program, known as bot software, which then takes full control of the system.
"A long list of passwords is included with the bot, and the bot will brute force the password," the Internet Storm Center said in its advisory.
Because it infects Windows systems running database software, the program resembles the Slammer worm, which spread widely nearly two years ago. However, unlike Slammer, a well-chosen password is proof against SpoolCLL, according to current analyses.
Moreover, the MySQL database is much more commonly installed alongside open-source operating systems, such as Linux. That means only a small fraction of computers connected to the Internet could be compromised by the MySQL bot.
Computers taken over by the bot will attempt to connect to one of several Internet Relay Chat servers to obtain new targets and updates, the Internet Storm Center said. A survey of the IRC servers found some 8,500 hosts connected, suggesting that many computers had been infected, though researchers were careful to qualify the number.
"This bot could use other mechanisms to spread," said Joe Stewart, a senior researcher at security firm LURHQ and a contributor to the Internet Storm Center analysis. "We can't say for sure that all 8,500 computers were infected by this particular exploit."