Remortgages

US-CERT is aware of a new attack vector being used by the "Wootbot/Spybot" tool. This variant is currently being identified as the "MySQL UDF Worm". This variant compromises MySQL servers on the Microsoft Windows platform with weak or null passwords.
Once the bot tool compromises a vulnerable server, it utilizes the User Defined Function (UDF) capability of MySQL to install a function that downloads a variant of "Wootbot/Spybot". The compromised server then attempts to contact a Command and Control (C&C) server and will scan for other vulnerable systems on port 3306/TCP. It may be possible to protect against this specific attack by blocking inbound traffic to port 3306/TCP at the network perimeter.

As of release 4.1.5 gamma, the application now requires the password to be changed upon installation. However, some releases prior to 4.1.5 did not require a password change. Other applications that utilize MySQL may also be vulnerable to this attack vector if they install MySQL with a weak or null password.

More information about this issue is available in the MySQL security alert. You may also wish to visit the US-CERT's computer virus resources page. US-CERT is continuing to investigate this incident.

[ Comment, Edit or Article Submission ]