New malcode targets MySQL

By Bill Brenner, News Writer 28 Jan 2005 | SearchSecurity.com

Digg This!     StumbleUpon     Del.icio.us

A new variant of Forbot exploits two Windows vulnerabilities, targets MySQL and attempts to create an army of zombie PCs that could be used to launch denial-of-service attacks and other mischief.

Lynnfield, Mass.-based antivirus firm Sophos Inc. said W32.Forbot-DY targets MySQL open-source database software on Windows systems connected to the Internet. MySQL is a popular alternative to Microsoft's SQL Server database software, and Sophos estimated there are more than 5 million installations globally.

Mitigators  ISC said network administrators can protect their systems by: -Selecting a strong password, especially for "root" accounts. -Restricting root accounts so that they are only allowed to connect from the local host. -Applying firewall rules. "MySQL servers should not be exposed to the 'wild outside.' Block port 3306 and only allow access from selected hosts that require such access

"System administrators should ensure that the computers under their care are properly protected with the latest antivirus software, sensible firewall configurations and up-to-date security patches," Graham Cluley, senior technology consultant for Sophos, said in a statement. "If you take the necessary steps then malicious malware will find it as hard to spread as frozen butter."

He added: "The Forbot worm uses brute force to try and break into systems with weak passwords. The message to system administrators is clear: Beef up your passwords now to stop these kinds of attacks from being possible."

It also exploits the RPC-DCOM and LSASS vulnerabilities in Windows. Microsoft released patches for the flaws in September 2003 and April 2004, respectively.

The MySQL Web site has posted further details on the threat, as has the Bethesda, Md.-based Internet Storm Center (ISC). According to the ISC, the malicious code has infected a few thousand systems so far.

Infected systems will connect to an Internet Relay Chat (IRC) server, the ISC said. The IRC server will then instruct the zombie machines to scan various networks for other vulnerable MySQL servers.

Tags: Malware, Viruses, Trojans and Spyware,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Schneier-Ranum Face-Off: Is antivirus dead? Modern malware, stealthy botnets, adapt quickly, expert says Computer worm infections up, scareware antivirus down, Microsoft says Web-based attacks skyrocket, pirating sites surge, security firms say Mini guide: How to remove and prevent Trojans, malware and spyware Kaspersky system analyzes malicious URLs on Twitter for malware Silon malware intercepts Internet Explorer sessions, steals credentials Breach forces payroll service provider PayChoice to shut down again RSA research underscores problem tracking cybercriminals Conficker analysis finds P2P coding limited, less sophisticated

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary