Just as the sun coming up in the morning is inevitable, today we have a worm attacking Windows servers.

Vulnerable installations of MySQL are the entry point for the worm. MySQL is an open source database. The weak points are administrative passwords which the MySpooler worm can use to log on to target systems. The MySQL UDF Dynamic Library is used to upload malicious code. (In this case a backdoor program, Wootbot).

An IRC channel on an infected system is logged onto. The systems then become drones in a network programmed to search for new victims.

4,500 systems per hour may have been infected in the early hours of spreading, according to intrusion firm PrevX.

Only MySQL running on Windows systems are affected. Although MySQL does have a UNIX version this is not as new as 4.0.21 which is where the vulnerability occurs.

Various suggested defence measures include, restricting access to root accounts, blocking port 3306 on firewalls and using strong passwords to deny brute force.

Related Articles
MySQL and Red Hat
MySQL Upgrade In Beta