Contributor: Ayush Anand
We’ve discovered malware that targeted MySQL servers to make them conduct distributed denial-of-service (DDoS) attacks against other websites. The attackers initially injected a malicious user-defined function (Downloader.Chikdos) into servers in order to compromise them with the Trojan.Chikdos.A DDoS malware
According to Symantec telemetry, the majority of the compromised servers are in India, followed by China, Brazil and the Netherlands.
Figure. Infections of Downloader.Chikdos and Trojan.Chikdos.A by region
Our analysis found that the compromised servers were being used to launch DDoS attacks against a Chinese IP address and a US hosting provider.
Using a malicious user-defined function
A user-defined function (UDF) is compiled code that can be called from within MySQL to accomplish some function beyond what the database management system can offer. The UDF lives as a file on the server’s file system.
Using malicious UDFs to gain access to MySQL servers is not a new activity. Matthew Zimmerman comprehensively documented the approach in this report. In this technique, an attacker creates a UDF which implements some malicious activity, such as downloading malware or creating a remote shell. The attacker then installs the UDF onto the targeted MySQL server through an SQL injection attack.
If the attacker is able to execute SQL commands, then they can use the DUMP parameter to effectively upload the UDF file on the system, which they then subsequently load into MySQL. The UDF is then executed and whatever malicious code that the attacker created is run.
Chikdos attack technique
Chikdos was first documented by CERT.PL in December 2013, where the threat was discovered targeting both Linux and Windows. The Linux version was installed onto computers that had been compromised by a Secure Shell (SSH) dictionary attack.
In the latest Chikdos campaign that we observed, the attackers likely used an automated scanner or possibly a worm to compromise MySQL servers and install the UDF. However the exact infection vector has not been identified. Once the servers were infected, the UDF downloaded a DDoS tool, which is a variant of Trojan.Chikdos.A.
Variants of Downloader.Chikdos are often randomly named .dll files. They may be located in the following sub-folders of the MySQL installation on servers:
When the downloader is executed through MySQL, it modifies registry entries as follows to enable TerminalServices:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache\“Enabled” = “0”
- HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\“EnableAdminTSRemote” = “1”
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD\“Start” = “2”
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\“Start” = “2”
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\“TSEnabled” = “1”
- HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\“fDenyTSConnections” = “0”
TerminalServices allows a user to control a computer or server remotely. Once the attackers have this access, their malware downloads files from URLs that are hardcoded in the malware.
The analyzed samples downloaded two files. Modified versions of the downloader added a new user called “qianhua” to the system.
The files that the samples downloaded were both variants of Trojan.Chikdos. They appeared to be hosted on two compromised websites. We assume that two were used to potentially mitigate one site being disabled by the legitimate owner of the hosting server.
Little is different in the analyzed variant of Trojan.Chikdos.A from the one that CERT.PL previously described. Variants of this threat can be identified from the PDB string in the samples. The PDB string contains the value “Chicken”.
The identified active command-and-control (C&C) servers for Chikdos are as follows:
Why SQL servers?
Given that Trojan.Chikdos.A is used to perform DDoS attacks from the infected system, we believe that the attackers compromised MySQL servers to take advantage of their large bandwidth. With these resources, the attackers could launch bigger DDoS campaigns than if they used traditional consumer targets.
MySQL is also the second most popular database management system in the world, giving the attackers a wide range of potential targets.
To protect against these types of attacks, SQL servers should not be run with administrator privileges where possible. Applications that use the SQL server should be patched regularly and follow good programming practices to mitigate SQL injection vulnerabilities. Check for the presence of new user accounts and ensure that remote access services are configured securely.
Norton Security, Symantec Endpoint Protection, and other Symantec security products protect users against these threats through the following detections:
The hashes for these threats are as follows: