Hackers infect MySQL servers with malware for DDoS attacks

Hackers are exploiting SQL injection flaws to infect MySQL database servers with a malware program that's used to launch distributed denial-of-service (DDoS) attacks.


Security researchers from Symantec found MySQL servers in different countries infected with a malware program dubbed Chikdos that has variants for both Windows and Linux.

This Trojan is not new and was first documented in 2013 by incident responders from the Polish Computer Emergency Response Team (CERT.PL). At that time the malware was being installed on servers after using brute-force dictionary attacks to guess SSH (Secure Shell) login credentials.
However, the new attacks observed by Symantec abuse the user-defined function (UDF) capability of the MySQL database engine. UDF allows developers to extend the functionality of MySQL with compiled code.

Symantec believes that attackers exploit SQL injection vulnerabilities in order to inject malicious UDF code in databases. They then use the DUMP SQL command to save the injected code as a library file that is later executed by the MySQL process.

The malicious UDF code downloads and installs the Chikdos Trojan, which allows attackers to abuse the server's bandwidth for DDoS attacks.

The Symantec researchers found MySQL servers infected with Chikdos in many countries, including India, China, Brazil, Netherlands, the U.S., South Korea, Mexico, Canada, Italy, Malaysia, Nigeria and Turkey. The largest concentrations were in India and China, 25 and 15 percent respectively.

During their analysis the researchers saw the servers being used to launch DDoS attacks against a U.S. hosting provider and a Chinese IP address.
The reason for targeting MySQL servers is likely because their bandwidth is considerably larger than that of regular PCs, making them more suitable for large DDoS campaigns, the Symantec researchers said in a blog post.

To prevent such attacks, website owners should avoid running SQL servers with administrative privileges and should follow best programming practices for mitigating SQL injection vulnerabilities, they said.