Open source database software maker MySQL AB warned its users to tighten security last Thursday, after news broke about a new Internet worm that targets the popular relational database, according to a company executive.
He said the company is looking at making bigger changes to harden its product against future attacks.
After spending much of the day reaching out to its users about how to protect themselves from the new threat, a version of the Forbot network worm (also known as W32.spybotIVQ), the company announced that it is working on bigger security fixes, including automatic update features that can push out software changes, and improvements to the default installation that will make the product harder to crack in the future, said Zack Urlocker, vice president of marketing at MySQL AB.
The actions come one day after a new version of the Forbot network worm, Forbot-DY, began infecting Microsoft Corp. Windows machines running MySQL. The worm, which also has Trojan horse features, infects machines by breaking into the default administrator (or “root”) account password. With access to the MySQL root account, Forbot was programmed to use a recently-discovered exploit called the MySQL UDF Dynamic Library Exploit to upload and install malicious code to the infected system.
At the height of the outbreak Thursday, more than 8,000 MySQL machines were believed to be infected with Forbot, according to Johannes Ullrich at The SANS Institute’s Internet Storm Center.
The worm took advantage of people who left their MySQL server unsecured, but also benefitted from features designed to make MySQL easy to install and use, said Urlocker. “In the past, our goal was to have MySQL up and running 15 minutes,” he said.
For example, the default root account password is blank. MySQL also allows users to log in as root remotely by default, a feature that was integral to Forbot-DY’s spread, according to security experts.
In the wake of the worm, MySQL is revaluating whether security should trump convenience in future releases, Urlocker said. “If we need stricter passwords or services out of the box to help people monitor (security) issues, we’ll look at that.”
The company has been working on an automatic software update feature that could push out patches for security vulnerabilities for around nine months. MySQL may also shut off the remote access feature by default, rather than have it enabled, he said.
However, Urlocker defended the company’s stance on security, saying that MySQL added a feature in its recent 4.1 software release that prompts users to change the default root password during installation, he said.
For now, however, MySQL is still trying to spread the word to its customers about the new worm and get them to take precautions to protect themselves, such as changing the root account password, installing a firewall and preventing remote access to MySQL servers.
Companies should consider taking an inventory of their network to ensure they aren’t using vulnerable machines, even if they don’t believe they are running MySQL, said Eric Gonzales, co-founder of Application Security Inc. of New York. “We’ve seen MySQL used as the backend on lots of applications, including backup and trading systems. And people don’t really know its there,” he said.
The powerful database software is free to download, which makes it more likely employees may have loaded a copy on their desktop or laptop computers to tinker with, and then forgotten about it, Gonzales said. In addition to an inventory of all MySQL installations, administrators should monitor their IDS (intrusion detection systems) for suspicious MySQL traffic on port 3306, he said.
Symantec Corp. suggests MySQL users harden their passwords; filter outbound traffic on TCP ports 5002 and 5003; filter inbound traffic on TCP ports 3306, 42, 135, 445, 1025, 1433 and UDP port 69; restrict incoming connetions to MySQL databases to trsuted connections; and update all antivirus signatures.