A "bot", exploiting vulnerable MySQL installs on Windows systems, has been
spotted. It infected a few thousand systems so far. Like typical for bots,
infected systems will connect to an IRC server. The IRC server will instruct
them to scan various /8 networks for other vulnerable mysql servers.
The bot uses the "MySQL UDF Dynamic Library Exploit". In order to launch
the exploit, the bot first has to authenticate to mysql as 'root' user. A long
list of passwords is included with the bot, and the bot will brute force the
Once connected, the bot will create a table called 'bla' using the database
'mysql'. The 'mysql' database is typically used to store administrative information like passwords, and is part of every mysql install. The only field in this database is a BLOB named 'line'.
Once the table is created, the executable is written into the table using an insert statement. Then, the content of is written to a file called 'app_result.dll' using 'select * from bla into dumpfile "app_result.dll"'. The 'bla' table is dropped once the file is created.
In order to execute the 'app_result.dll', the bot creates a mysql function called 'app_result' which uses the 'app_result.dll' file saved earlier. This function is executed, and as a result the bot is loaded and run.
Post Infection Behavior
The bot will now try to connect to one out of a number of IRC servers:
dummylandingzone.hn.org -> 188.8.131.52
this have been disabled by respective dynamic dns providers(thanks!!):
landingzone.ath.cx -> 184.108.40.206
dummylandingzone.dyndns.org -> no such name
landingzone.dynamic-ip.us -> was: 220.127.116.11
dummylandingzone.dns2go.com -> 18.104.22.168 and 22.214.171.124
dummylandingzone.hn.org -> 126.96.36.199
dummylandingzone.dynu.com -> 188.8.131.52
zmoker.dns2go.com -> 184.108.40.206
landingzone.dynu.com -> was: 220.127.116.11
dummylandingzone.ipupdater.com -> 18.104.22.168
The bot will connect to the IRC server on port 5002 or 5003. At this point, the IRC servers appear busy and unable to accept new connections. Note that dynamic DNS services are used. The IP addresses will likely change. Last time we where able to connect, about 8,500 hosts where connected to the IRC server.
The bot will connect to a channel called '#rampenstampen' using the key 'gratisporn'. The topic of the channel is set to '!adv.start mysql 80 10 0 132.x.x.x -a -r -s'. This will instruct the bot to scan random ips in '22.214.171.124/8' for mysql server. Throughout our observation, the topic was changed regularly. To be scanned networks included 10.0.0.0/8, likely an attempt to infect other mysql servers within a local network that is otherwise protected by a firewall.
So far, the bot has been identified as a version of 'Wootbot'. It appears to include the usual set of bot features like a DDOS engine, various scanners, commands to solicit information from infected systems (e.g. system stats, software registration keys and such). The bot provides an FTP server, and a backdoors (details later. Appears to be listening on port 2301/tcp and 2304/tcp, maybe other ports).
This bot does not use any vulnerability in mysql. The fundamental weakness it uses is a week 'root' account. The following mitigation methods will prevent exploitation:
Strong Password: Select a strong password, in particular for the 'root' account.
Restricted root account: Connections for any account can be limited to certain hosts in MySQL. This is in particular important for 'root'. If possible, 'root' should only be allowed to connect from the local host. MySQL will also allow you to force connections to use mysql's own SSL connection option.
Apply firewall rules: MySQL servers should not be exposed to the "wild outside". Block port 3306 and only allow access from selected hosts that require such access. Again, the use of ssh forwarding or SSL is highly recommended.
For a one page cheat-sheet explaining how to setup passwords and disable network access in mysql, see: http://isc.sans.org/papers/secwinmysql.pdf
The port 3306 scanning should be quite obvious. If an infected host is not able to connect to the IRC server, you will still see port 5002 and 5003 connection attempts to the hosts shown above. If you have query logging configured on your DNS server, you will see lookups for the hostnames shown above. Note that the IPs will likely change over time.
Most antivirus scanners will detect the binary. Summary from
Virustotal (as of 12:45 pm EST):
AntiVir 126.96.36.199/20050127 found nothing
AVG 718/20050127 found [BackDoor.Wootbot.4.S]
BitDefender 7.0/20050127 found nothing
ClamAV devel-20041205/20050127 found nothing
DrWeb 4.32b/20050127 found [Win32.HLLW.ForBot.based]
eTrust-Iris 188.8.131.52/20050127 found nothing
eTrust-Vet 184.108.40.206/20050127 found nothing
F-Prot 3.16a/20050127 found nothing
Kaspersky 220.127.116.11/20050127 found [Backdoor.Win32.Wootbot.gen]
NOD32v2 1.985/20050127 found [probably unknown NewHeur_PE]
Norman 5.70.10/20050127 found [W32/SDBot.gen2]
Panda 8.02.00/20050127 found nothing
Sybari 7.5.1314/20050127 found [Backdoor.Win32.Wootbot.gen]
Symantec 8.0/20050127 found [W32.Spybot.Worm]
Thanks to Evan for providing the sample of Spoolcll.exe (md5sum 18d3fe6ebabc4bed7008a9d3cb3713b9), our malware list, in particular Joe Stewart of LURHQ ( http://www.lurhq.com ), our handlers, and the members of the Whirlpool forum ( http://forums.whirlpool.net.au/forum-replies.cfm?t=291921 ).
Johannes Ullrich (filling in for Deb Hale)
Jan 27th 2005
1 decade ago