Symantec has discovered a malware targetting MySQL servers around the world. The interesting part is that after hacking into them hackers use servers to initiate Distributed-Denial-of-Service (DDoS) attacks. The reason behind choosing MySQL server for DDoS is probably a greater bandwidth capabilities. Cyber attackers are aiming DDoS cyber weapons towards Chinese and US hosting providers.
At first cyber attackers, inject malicious function Downloader.Chikdos into servers, using which they are able to take over the server via Chikdos Trojan. The latter is distributed in both Windows and Linux versions and are hard to detect.
Here is the list of infected countries:
Chikdos itself is not a new fruit for cyber security researchers. The malware was first discovered 2 years ago by Polish CERT (CERT.PL).
How does Chikdos work?
Chikdos malware abuses user-defined function (UDF) present in MySQL engine. UDF is a file located on a server and can be called from the MySQL in order to gain additional functions and capabilities. You can learn more about UDF exploitation from Matthew Zimmerman.
Thanks to this technique hackers can create a UDF file which is similar to original one, but it allows a server to initiate unauthorized activities like downloading malware, creating the remote shell, changing passwords and more. After UDF is created it can be transferred to a target server using SQL injection and initiating a DUMP parameter.
Recommendation
If you own a MySQL server you should definitely have a look at following folders in MySQL installation:
- Lib\
- Lib\plugin
- Bin\
Cyber attackers change registry settings and enable TerminalServices, therefore don’t forget to check your registry for following entries:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache\“Enabled” = “0”
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\“EnableAdminTSRemote” = “1”
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD\“Start” = “2”
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\“Start” = “2”
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\“TSEnabled” = “1”
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\“fDenyTSConnections” = “0”