Worm uses passwords to hit MySQL

Posted on February 09th, 2005

Database administrators received a stark reminder about the shortcomings of password protection late January following reports that a new net worm has started exploiting MySQL databases configured with weak passwords.

The worm targets Windows systems running the open-source MySQL database, and has been using the ‘MySQL UDF Dynamic Library Exploit’ to run code on hijacked systems. But before the worm can use the exploit it first needs to log in to the database as administrator account, called the ‘root’ account.

The worm does not log in by exploiting a vulnerability in the MySQL software. Rather, it breaks into the database by guessing the password for the root user, and comes with a long list of possible passwords to try. One database administrator commented, ‘Passwords are a problem with most databases as they are often included in numerous scripts, which makes changing them on a regular basis rather tricky.’ (Remark from Queaso Systems : integration of fingerprint recognition functionality as offered by Qfinger as an alternative for username/password login could dramatically decrease the security breach exploited by this worm)

Database administrators might also find the details of the attack of interest. Once the worm has logged into the database engine, it creates a new entry, or ‘table’, called ‘bla’ in the ‘mysql’ database. The mysql table is created during installation of the open-source database and normally contains database usernames and other such information. The worm then creates a binary large object (Blob) called ‘line’ in bla, which it then writes to a file called ‘app_result.dll’ on the infected system’s disk. The worm then deletes bla and goes on to run the ‘app_result.dll’, which then goes on to scan for other systems that it could infect.