Specialists of AhnLab Security Emergency Response Center (ASEC) warnedthat MySQL servers are being attacked by the Ddostf botnet, which operates under the DDoS-as-a-Service scheme (DDoS-as-a-service). That is, the power of the botnet is rented out to other cybercriminals.
Ddostf is a botnet of Chinese origin, first discovered by information security specialists about seven years ago and targeting Linux and Windows systems. On Windows, the malware hardens itself by registering as a system service when first launched, and then decrypts its C&C configuration to establish a connection.
The malware profiles the infected host and sends data (such as frequency and number of processor cores, information about language, Windows version, network speed, and so on) to its control server. In response, the server can give the client commands to organize DDoS attacks, including SYN Flood, UDP Flood and HTTP GET/POST Flood, request to stop transmitting information about the system state, switch the bot to a new C&C address, give commands to download and execute new payloads .
Researchers say that the creators of Ddostf are now scanning the Internet in search of available MySQL servers and trying to hack them by brute-forcing administrator credentials.
On successfully compromised servers, attackers use UDF to execute commands. UDF is a MySQL feature that allows users to define functions in C or C++ and compile them into a DLL file that extends the server’s capabilities.
In this case, attackers create their own UDFs and register them on the server in the form of a DLL file (amd.dll) with the following malicious functions:
- downloading a payload, such as the DDoS bot Ddostf, from a remote server;
- execution of arbitrary commands from attackers at the system level;
- outputting the results of command execution to a temporary file and sending it to attackers.
Abuse of UDF facilitates the download of the main payload, the Ddostf bot client, but can potentially enable the installation of other malware, data theft, the introduction of backdoors for persistent access, and so on.
ASEC recommends that MySQL administrators install updates promptly and choose long, unique passwords to protect administrator accounts from brute force and dictionary attacks.