Canada Flag Public Safety and Emergency Preparedness Canada | Sécurité publique et Protection civile Canada
Symbol of the Government of Canada
Sauter les menus principaux  
Skip all menus (access key: 2) Skip first menu (access key: 1)
Français Contact Us Help Search Canada Site
About Us Policy Research Programs Newsroom
Public Safety and Emergency Preparedness Canada - Sécurité publique et Protection civile Canada
 
You have accessed an archived page for Public Safety and Emergency Preparedness Canada. This material may be outdated. Please consult our new site for up-to-date information. If you have bookmarked this page, please note that it may be deleted in the coming weeks.

Title graphic: Operations Products

Advisory Number: AV05-003
MySQL UDF Dynamic Library Exploit Bot
27 January 2005

PURPOSE
The purpose of this advisory is to bring attention to a MySQL Bot exploiting MySQL installations on Windows systems.

ASSESSMENT
This bot is a worm that uses the “MySQL UDF Dynamic Library Exploit” to replicate itself and infect other systems running MySQL on Windows platforms. The bot must first brute-force-authenticate itself as the MySQL root user. It uses IRC to receive instructions on what to do next.

The bot has the following features: distributed denial-of-service (DDoS) engine, various scanners, FTP server, backdoors and commands to extract information about the infected system.

SUGGESTED ACTION
PSEPC recommends that administrators choose a strong password and immediately apply it to the MySQL root account.

The MySQL root account should only be allowed to connect from the local host.

If possible, do not expose MySQL servers to the Internet. Monitor and control inbound access on port 3306.

To locate infected systems scan your perimeter and internal networks for hosts listening on TCP ports 2301 and 2304. Also scan local systems for occurrences of "spoolcll.exe" and "app_result.dll".

Watch for infected systems attempting to connect to IRC hosts on ports 5002 and 5003 outbound.

Additional information available at:
http://isc.sans.org/ (Handlers Diary January 27th 2005)


---

Note to Readers

Public Safety and Emergency Preparedness Canada (PSEPC) collects information related to cyber and physical threats to, and incidents involving, Canadian critical infrastructure. This allows us to monitor and analyse threats and to issue alerts, advisories and other information products to our partners. To report threats or incidents, please contact the PSEPC operations coordination centre at (613) 991-7000 or goc-cog@psepc-sppcc.gc.ca by e-mail.

Unauthorized use of computer systems and mischief in relation to data are serious Criminal Code offences in Canada. Any suspected criminal activity should be reported to local law enforcement organizations. The RCMP National Operations Centre (NOC) provides a 24/7 service to receive such reports or to redirect callers to local law enforcement organizations. The NOC can be reached at (613) 993-4460. National security concerns should be reported to the Canadian Security Intelligence Service (CSIS) at (613) 993-9620.

Links to sites not under the control of the Government of Canada (GoC) are provided solely for the convenience of users. The GoC is not responsible for the accuracy, currency or the reliability of the content. The GoC does not offer any guarantee in that regard and is not responsible for the information found through these links, nor does it endorse the sites and their content.
Last Updated: 10/25/2005
Top of page
 Important Notices