14 DAY TRIAL // Symantec has uncovered an ongoing campaign in which hackers are using malware to hijack MySQL servers, enrolling them into a botnet specialized in launching DDoS attacks.
According to Symantec's Gavin O. Gorman, attackers may be using SQL injections (still unconfirmed) to infect MySQL servers with a custom-made UDF (user-defined function) file, which then saves the Downloader.Chikdos trojan on the server.
Since UDF files allow a MySQL server to initiate more complex operations on the server, to which regular SQL commands have no access, the attackers are calling the UDF file, which then downloads a more dangerous trojan detected as Trojan.Chikdos.A.
This trojan is a variant of the Trojan.Chikdos malware, specialized in carrying out DDoS attacks.
Webmasters that want to check if this malware has infected them should look for randomly named .dll files in the following folders: \Lib\, \Lib\plugin\, and \Bin\.
This campaign is actively used in the wild against US and Chinese victims
Symantec telemetry data confirms that this exploit is actively being used in the wild even now, with most infected MySQL servers being located in India, China, Brazil, Holland, and the US.
DDoS attacks detected originating from these MySQL servers have targeted a US-based hosting provider, and an IP address in China.
The reason hackers are targeting and infecting MySQL servers is connected to their widespread adoption, a large collection of ready-available MySQL vulnerabilities disclosed by security researchers, and the easy availability of hacking tools specifically designed to target flaws in MySQL servers.
Additionally, because MySQL servers exchange quite a big amount of data with other servers inside a company IT infrastructure, they usually have a higher bandwidth allocated to them, which can be exploited to carry out DDoS attacks at a higher volume when compared to Web servers, home PCs, or IoT devices.
UPDATE: The malware only infects MySQL servers running on Windows.
