Security experts are tracking a new variant
of the Forbot Worm. Forbot, also known as W32/Forbot-DY,
UDF, Wootbot, and MySpooler worm was first reported on the Whirlpool
Forums on January 26, by a developer who notice an unknown application, spoolcll.exe,
trying to open a port.
According to MySQL, the UDF worm is self-propagating code
that finds MySQL Servers running on Windows with poor firewall and password
security. The worm does not exploit any bugs in MySQL but does exploit poor
security setups for firewalls and passwords. Johannes Ullrich, in a report posted on SANS on January 27
stated, "The bot
uses the "MySQL UDF Dynamic Library Exploit." In order to launch the
exploit, the bot first has to authenticate to mysql as 'root' user. A long list
of passwords is included with the bot, and the bot will brute force the
The bot creates a table in the mysql database, writing an executable into the table. The
content is then written to a file, "app_result.dll," and the table is
dropped. The bot then creates a function called "app_result" in
order to execute the .dll file. When the function is executed, the bot is
loaded and run and attempts to connect to one of a number of IRC servers on
port 5002 or 5003.
MySQL offers two basic steps to protect your MySQL servers:
- Always use strong passwords on all accounts.
- Use firewalls to protect your MySQL Servers.
SANS also recommends blocking port 3306 on firewalls.
If your system has already been compromised,
article from Microsoft.