Forbot worm uses dictionary attack to break into MySQL databases, Sophos reports

January 28, 2005 Sophos Press Release

Download a white paper

Virus experts at Sophos have warned computer users about a new variant of the Forbot worm which targets MySQL open-source database software on Windows computers connected to the internet. MySQL is a popular alternative to Microsoft's SQL Server database software, and there are said to be more than 5 million installations worldwide.

The W32/Forbot-DY worm (also called UDF, Wootbot or MySpool) is the latest in a long line of worms in the Forbot family, which first began to appear in mid-2004.

Aside from spreading across the internet, the worm also attempts to create a zombie bot network which would allow remote hackers to launch a distributed denial-of-service attack from infected computers.

"System administrators should ensure that the computers under their care are properly protected with the latest anti-virus software, sensible firewall configurations and up-to-date security patches," said Graham Cluley, senior technology consultant for Sophos. "If you take the necessary steps then malicious malware will find it as hard to spread as frozen butter."

The Forbot-DY worm tries to spread to network shares with weak passwords and also by using two Microsoft security vulnerabilities: The RPC-DCOM security exploit (MS03-039) and the LSASS security exploit (MS04-011).

"The Forbot worm uses a list of likely words to try and break into systems with poorly chosen passwords," continued Cluley. "The message to system administators is clear: beef up your passwords now to stop these kind of attacks from being possible."

More information about the threat posed by the worm has been published on the MySQL website.

Sophos does not believe that this latest worm will have the same impact as the SQL Slammer worm which slowed down parts of the internet in early 2003.