Forbot Worm Variant Exploits Vulnerable Installations of MySQL

January 28, 2005

Security experts are tracking a new variant of the Forbot Worm. Forbot, also known as W32/Forbot-DY, UDF, Wootbot, and MySpooler worm was first reported on the Whirlpool Forums on January 26, by a developer who notice an unknown application, spoolcll.exe, trying to open a port.

According to MySQL, the UDF worm is self-propagating code that finds MySQL Servers running on Windows with poor firewall and password security. The worm does not exploit any bugs in MySQL but does exploit poor security setups for firewalls and passwords. Johannes Ullrich, in a report posted on SANS on January 27 stated, "The bot uses the "MySQL UDF Dynamic Library Exploit." In order to launch the exploit, the bot first has to authenticate to mysql as 'root' user. A long list of passwords is included with the bot, and the bot will brute force the password."

The bot creates a table in the mysql database, writing an executable into the table. The content is then written to a file, "app_result.dll," and the table is dropped. The bot then creates a function called "app_result" in order to execute the .dll file. When the function is executed, the bot is loaded and run and attempts to connect to one of a number of IRC servers on port 5002 or 5003.

MySQL offers two basic steps to protect your MySQL servers:

  1. Always use strong passwords on all accounts.
  2. Use firewalls to protect your MySQL Servers.

SANS also recommends blocking port 3306 on firewalls.

If your system has already been compromised, see this article from Microsoft.