MySQL bot infecting Windows machines
Posted by creining | Filed under Security
The ISC’s Handlers Diary today covers a new MySQL bot that actually is quite clever. First off, it only affects MySQL running on Windows systems (who does that? I guess quite a few people as there are a few thousand systems infected). The bot doesn’t take advantage of any vulnerability in MySQL but by bruteforcing the MySQL root password by chewing through a long list of passwords. Again, this is a great example that the use of strong passwords is a fundamental part of security. The clever part comes after the bot successfully connects to the database as the root user. As outlined in the Handlers Diary:
“Once connected, the bot will create a table called ‘bla’ using the database ‘mysql’. The ‘mysql’ database is typically used to store administrative information like passwords, and is part of every mysql install. The only field in this database is a BLOB named ‘line’.
Once the table is created, the executable is written into the table using an insert statement. Then, the content of is written to a file called ‘app_result.dll’ using ‘select * from bla into dumpfile “app_result.dll”‘. The ‘bla’ table is dropped once the file is created.
In order to execute the ‘app_result.dll’, the bot creates a mysql function called ‘app_result’ which uses the ‘app_result.dll’ file saved earlier. This function is executed, and as a result the bot is loaded and run.”
I think that leveraging the MySQL root access the way the bot author(s) did to compromise the entire system is really sweet!
Comments are closed.