Risk: Medium
A worm exploiting vulnerable installations of MySQL to take over Windows servers has begun spreading across the net. The MySpooler worm takes advantage of weak administrative passwords to log onto target systems before using the MySQL UDF Dynamic Library exploit to upload malicious code (a backdoor program called Wootbot).
Compromised systems log onto an IRC channel, becoming drones in a zombie network currently programmed to hunt for fresh victims. Intrusion firm PrevX reckons the worm infected 4,500 systems per hour in the early hours of its outbreak, a rapid spread evidenced by an upsurge in port 3306 scans associated with the worm.
The MySQL open source database is available in Unix and Windows flavours but only Windows machines running MySQL 4.0.21 or later are being exploited in the attack. The SANS Institute has put together an analysis of the malware along with suggested defence strategies. Blocking port 3306 on firewalls, restricting access to root accounts and using strong passwords resistant to brute force attack are all strongly recommended.