The AhnLab Security Emergency Response Center (ASEC) has confirmed that a malware botnet known as ‘Ddostf‘, originally detected seven years ago, is actively targeting MySQL servers. ASEC researchers, through vigilant threat monitoring, discovered that the botnet employs brute-force methods to infiltrate servers by guessing weak administrative credentials and exploiting unpatched vulnerabilities.
Understanding the Exploitation Technique
For Windows-based MySQL servers, the Ddostf operators manipulate a MySQL feature called User-Defined Functions (UDFs) to execute harmful commands on the compromised system. Typically, UDFs allow users to establish functions in C or C++ languages, which get compiled into a dynamic link library (DLL) to extend the server's functionality.
However, attackers have twisted this feature for malicious intent by creating rogue UDFs and registering them within the server, allowing the loading of their primary payload – the Ddostf bot client. This manipulation does not only facilitate the primary attack but also exposes the system to further malware installations, potential data exfiltration, and the creation of backdoors for unwarranted persistence.
Mitigation and Protection Measures
Due to its ability to connect to alternate command-and-control (C2) servers, Ddostf exhibits an alarming resilience against disruptions or takedowns. The malware's design allows it to disseminate comprehensive system profiles – including CPU specifications, language details, operating system version, and network capabilities – back to its C2 servers. It is capable of initiating various types of Distributed Denial of Service (DDoS) attacks, such as SYN Floods, UDP Floods, and HTTP GET/POST Floods, as commanded by its controllers.
Cybersecurity experts at ASEC urge MySQL administrators to apply the most recent security updates and enforce strong, unique passwords for administrative accounts. By doing so, they can significantly reduce the risk of succumbing to dictionary attacks and brute force attempts. As organizations become increasingly dependent on database servers for daily operations, the scale and sophistication of threats like Ddostf suggest a heightened need for vigilance and appropriate cybersecurity measures.