Mysql Worm Hits The Web

GovernmentSecurity.org > General GSO > In The News

Yorn

Jan 27 2005, 03:15 PM

Over the last two days, users running MySQL on Windows have noticed random connections out from a file named "spoolcll.exe". Full information is below:

QUOTE

I had a program called spoolcll.exe try to open up port 14054 today.

Investigation showed that although it lived in c:\winnt\system32 it wasn't tagged as a microsoft program. It had a file datestamp of 26 Jan 5 12:57pm. The internet access happened at 12:58.

It showed up in the registry as a service 'evmon'.

The running .exe could not be killed in Task Manager. Nor could the service be paused or stopped.

After telling Norton to block all access, it tried to send a message to: 212.105.105.214, port 5003, which I also blocked.

I set the service to disabled and changed the filename it was looking for. Rebooted. It wasn't running, so I changed the name of the .exe.

For additional info and how the thread eventually ended up on MySQL being the culprit, view:
http://forums.whirlpool.net.au/forum-repli...fm?t=291921&p=1

Initial assumptions, by myself, mind you, would put the potentially infectable at a scant 150,000 systems. Not many people run MySQL on a Windows box that don't already lock all their ports (or at least that one) down. Word has it that Norton, McAfee, Kaspersky and other systems don't detect the virus but have received copies. More as this develops.

It also seems to be spreading really slowly. Recent updates have indicated it tries bruteforcing the password instead. Trying weak admin passwords.

Killaloop

Jan 27 2005, 09:31 PM

one year earlier and this worm would have done much more damage and would have spreaded much better
finally lock down your mysql servers
remote access is absolutely NOT needed for a database application, is it?

Peter Schmidt

Jan 27 2005, 09:52 PM

http://isc.sans.org/diary.php?isc=a508f4a1...ea8bd45444a570b

^---- related link.

Spiffypat

Jan 27 2005, 10:33 PM

Suppose you did find some host listening on those ports 2301 and 2304 I believe, would it be possible to connect to them, or is it password protected? I am assuming it is, but it sure would be nice

h3llraz0r

Jan 28 2005, 02:09 PM

this is the exerpt from SANA INternet Storm Center

Updated January 27th 2005 21:38 UTC * MySQL Bot
MySQL Bot

A "bot", exploiting vulnerable MySQL installs on Windows systems, has been spotted. It infected a few thousand systems so far. Like typical for bots, infected systems will connect to an IRC server. The IRC server will instruct them to scan various /8 networks for other vulnerable mysql servers.

Infection Method

The bot uses the "MySQL UDF Dynamic Library Exploit". In order to launch the exploit, the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password.

Once connected, the bot will create a table called 'bla' using the database 'mysql'. The 'mysql' database is typically used to store administrative information like passwords, and is part of every mysql install. The only field in this database is a BLOB named 'line'.

Once the table is created, the executable is written into the table using an insert statement. Then, the content of is written to a file called 'app_result.dll' using 'select * from bla into dumpfile "app_result.dll"'. The 'bla' table is dropped once the file is created.

In order to execute the 'app_result.dll', the bot creates a mysql function called 'app_result' which uses the 'app_result.dll' file saved earlier. This function is executed, and as a result the bot is loaded and run.

Post Infection Behavior

The bot will now try to connect to one out of a number of IRC servers:
dummylandingzone.hn.org -> 212.105.105.214

this have been disabled by respective dynamic dns providers(thanks!!):
landingzone.ath.cx -> 212.105.105.214
dummylandingzone.dyndns.org -> no such name
landingzone.dynamic-ip.us -> was: 212.105.105.214
dummylandingzone.dns2go.com -> 63.64.164.91 and 63.149.6.91
dummylandingzone.hn.org -> 212.105.105.214
dummylandingzone.dynu.com -> 212.105.105.214
zmoker.dns2go.com -> 63.64.164.91
landingzone.dynu.com -> was: 212.105.105.214
dummylandingzone.ipupdater.com -> 212.105.105.214

The bot will connect to the IRC server on port 5002 or 5003. At this point, the IRC servers appear busy and unable to accept new connections. Note that dynamic DNS services are used. The IP addresses will likely change. Last time we where able to connect, about 8,500 hosts where connected to the IRC server.

The bot will connect to a channel called '#rampenstampen' using the key 'gratisporn'. The topic of the channel is set to '!adv.start mysql 80 10 0 132.x.x.x -a -r -s'. This will instruct the bot to scan random ips in '132.0.0.0/8' for mysql server. Throughout our observation, the topic was changed regularly. To be scanned networks included 10.0.0.0/8, likely an attempt to infect other mysql servers within a local network that is otherwise protected by a firewall.

So far, the bot has been identified as a version of 'Wootbot'. It appears to include the usual set of bot features like a DDOS engine, various scanners, commands to solicit information from infected systems (e.g. system stats, software registration keys and such). The bot provides an FTP server, and a backdoors (details later. Appears to be listening on port 2301/tcp and 2304/tcp, maybe other ports).

Mitigation

This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:

Strong Password: Select a strong password, in particular for the 'root' account.
Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.

For a one page cheat-sheet explaining how to setup passwords and disable network access in mysql, see:http://isc.sans.org/papers/secwinmysql.pdf

Detection

The port 3306 scanning should be quite obvious. If an infected host is not able to connect to the IRC server, you will still see port 5002 and 5003 connection attempts to the hosts shown above. If you have query logging configured on your DNS server, you will see lookups for the hostnames shown above. Note that the IPs will likely change over time.

Most antivirus scanners will detect the binary. Summary from Virustotal (as of 12:45 pm EST):

AntiVir 6.29.0.8/20050127 found nothing
AVG 718/20050127 found [BackDoor.Wootbot.4.S]
BitDefender 7.0/20050127 found nothing
ClamAV devel-20041205/20050127 found nothing
DrWeb 4.32b/20050127 found [Win32.HLLW.ForBot.based]
eTrust-Iris 7.1.194.0/20050127 found nothing
eTrust-Vet 11.7.0.0/20050127 found nothing
F-Prot 3.16a/20050127 found nothing
Kaspersky 4.0.2.24/20050127 found [Backdoor.Win32.Wootbot.gen]
NOD32v2 1.985/20050127 found [probably unknown NewHeur_PE]
Norman 5.70.10/20050127 found [W32/SDBot.gen2]
Panda 8.02.00/20050127 found nothing
Sybari 7.5.1314/20050127 found [Backdoor.Win32.Wootbot.gen]
Symantec 8.0/20050127 found [W32.Spybot.Worm]

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Mysql Worm Hits The Web GovernmentSecurity.org > General GSO > In The News Yorn Jan 27 2005, 03:15 PM Over the last two days, users running MySQL on Windows have noticed random connections out from a file named "spoolcll.exe". Full information is below: QUOTE I had a program called spoolcll.exe try to open up port 14054 today. Investigation showed that although it lived in c:\winnt\system32 it wasn't tagged as a microsoft program. It had a file datestamp of 26 Jan 5 12:57pm. The internet access happened at 12:58. It showed up in the registry as a service 'evmon'. The running .exe could not be killed in Task Manager. Nor could the service be paused or stopped. After telling Norton to block all access, it tried to send a message to: 212.105.105.214, port 5003, which I also blocked. I set the service to disabled and changed the filename it was looking for. Rebooted. It wasn't running, so I changed the name of the .exe. For additional info and how the thread eventually ended up on MySQL being the culprit, view: http://forums.whirlpool.net.au/forum-repli...fm?t=291921&p=1 Initial assumptions, by myself, mind you, would put the potentially infectable at a scant 150,000 systems. Not many people run MySQL on a Windows box that don't already lock all their ports (or at least that one) down. Word has it that Norton, McAfee, Kaspersky and other systems don't detect the virus but have received copies. More as this develops. It also seems to be spreading really slowly. Recent updates have indicated it tries bruteforcing the password instead. Trying weak admin passwords. Killaloop Jan 27 2005, 09:31 PM one year earlier and this worm would have done much more damage and would have spreaded much better finally lock down your mysql servers remote access is absolutely NOT needed for a database application, is it? Peter Schmidt Jan 27 2005, 09:52 PM http://isc.sans.org/diary.php?isc=a508f4a1...ea8bd45444a570b ^---- related link. Spiffypat Jan 27 2005, 10:33 PM Suppose you did find some host listening on those ports 2301 and 2304 I believe, would it be possible to connect to them, or is it password protected? I am assuming it is, but it sure would be nice h3llraz0r Jan 28 2005, 02:09 PM this is the exerpt from SANA INternet Storm Center Updated January 27th 2005 21:38 UTC * MySQL Bot MySQL Bot A "bot", exploiting vulnerable MySQL installs on Windows systems, has been spotted. It infected a few thousand systems so far. Like typical for bots, infected systems will connect to an IRC server. The IRC server will instruct them to scan various /8 networks for other vulnerable mysql servers. Infection Method The bot uses the "MySQL UDF Dynamic Library Exploit". In order to launch the exploit, the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password. Once connected, the bot will create a table called 'bla' using the database 'mysql'. The 'mysql' database is typically used to store administrative information like passwords, and is part of every mysql install. The only field in this database is a BLOB named 'line'. Once the table is created, the executable is written into the table using an insert statement. Then, the content of is written to a file called 'app_result.dll' using 'select * from bla into dumpfile "app_result.dll"'. The 'bla' table is dropped once the file is created. In order to execute the 'app_result.dll', the bot creates a mysql function called 'app_result' which uses the 'app_result.dll' file saved earlier. This function is executed, and as a result the bot is loaded and run. Post Infection Behavior The bot will now try to connect to one out of a number of IRC servers: dummylandingzone.hn.org -> 212.105.105.214 this have been disabled by respective dynamic dns providers(thanks!!): landingzone.ath.cx -> 212.105.105.214 dummylandingzone.dyndns.org -> no such name landingzone.dynamic-ip.us -> was: 212.105.105.214 dummylandingzone.dns2go.com -> 63.64.164.91 and 63.149.6.91 dummylandingzone.hn.org -> 212.105.105.214 dummylandingzone.dynu.com -> 212.105.105.214 zmoker.dns2go.com -> 63.64.164.91 landingzone.dynu.com -> was: 212.105.105.214 dummylandingzone.ipupdater.com -> 212.105.105.214 The bot will connect to the IRC server on port 5002 or 5003. At this point, the IRC servers appear busy and unable to accept new connections. Note that dynamic DNS services are used. The IP addresses will likely change. Last time we where able to connect, about 8,500 hosts where connected to the IRC server. The bot will connect to a channel called '#rampenstampen' using the key 'gratisporn'. The topic of the channel is set to '!adv.start mysql 80 10 0 132.x.x.x -a -r -s'. This will instruct the bot to scan random ips in '132.0.0.0/8' for mysql server. Throughout our observation, the topic was changed regularly. To be scanned networks included 10.0.0.0/8, likely an attempt to infect other mysql servers within a local network that is otherwise protected by a firewall. So far, the bot has been identified as a version of 'Wootbot'. It appears to include the usual set of bot features like a DDOS engine, various scanners, commands to solicit information from infected systems (e.g. system stats, software registration keys and such). The bot provides an FTP server, and a backdoors (details later. Appears to be listening on port 2301/tcp and 2304/tcp, maybe other ports). Mitigation This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation: Strong Password: Select a strong password, in particular for the 'root' account. Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option. Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended. For a one page cheat-sheet explaining how to setup passwords and disable network access in mysql, see:http://isc.sans.org/papers/secwinmysql.pdf Detection The port 3306 scanning should be quite obvious. If an infected host is not able to connect to the IRC server, you will still see port 5002 and 5003 connection attempts to the hosts shown above. If you have query logging configured on your DNS server, you will see lookups for the hostnames shown above. Note that the IPs will likely change over time. Most antivirus scanners will detect the binary. Summary from Virustotal (as of 12:45 pm EST): AntiVir 6.29.0.8/20050127 found nothing AVG 718/20050127 found [BackDoor.Wootbot.4.S] BitDefender 7.0/20050127 found nothing ClamAV devel-20041205/20050127 found nothing DrWeb 4.32b/20050127 found [Win32.HLLW.ForBot.based] eTrust-Iris 7.1.194.0/20050127 found nothing eTrust-Vet 11.7.0.0/20050127 found nothing F-Prot 3.16a/20050127 found nothing Kaspersky 4.0.2.24/20050127 found [Backdoor.Win32.Wootbot.gen] NOD32v2 1.985/20050127 found [probably unknown NewHeur_PE] Norman 5.70.10/20050127 found [W32/SDBot.gen2] Panda 8.02.00/20050127 found nothing Sybari 7.5.1314/20050127 found [Backdoor.Win32.Wootbot.gen] Symantec 8.0/20050127 found [W32.Spybot.Worm] This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.