Cyber Security Threat Summary:
The ‘Ddostf’ malware botnet is attacking MySQL servers to turn them into a DDoS service. AnhLab Security Emergency Response Center (ASEC) discovered this while tracking threats against database servers. Ddostf infiltrates MySQL servers either through vulnerabilities in unpatched systems or by cracking weak administrator account passwords. These attackers search the web for exposed MySQL servers, trying to breach them through brute forcing administrator credentials.
For windows MySQL servers, the attackers exploit a feature called user-defined functions to execute commands on the compromised system. UDFs are a MySQL feature that lets users define functions, extending the server’s capabilities. Attackers create their own UDF’s as malicious DLL files, enabling actions like downloading the Ddostf malware, executing commands, and sending results to the attackers. This abuse of UDFs allows the bot client to load and could potentially facilitate other malicious activities like malware installation, data exfiltration, creation of backdoors for persistent access, and more.
Security Officer Comments:
The Ddostf botnet is of Chinese-origin, the botnet targets both Linux and Windows systems. On Windows, it establishes itself as a system service, decrypts its C2 configuration, sends system information to its C2, and receives DDoS attack commands like SYN Flood, UDP Flood, and HTTP GET/POST Flood attacks. ASEC notes that the Ddostf’s ability to switch to new C2 addresses makes it resilient against takedowns, setting it apart from other DDoS botnet malware.
Researchers at ASEC have published the following mitigations:
- Administrators should use passwords that are difficult to guess for their accounts and change them periodically to protect the database server from brute force attacks and dictionary attacks.
- They should also apply the latest patches to prevent vulnerability attacks.
- Administrators should also use security programs such as firewalls for externally accessible database servers to restrict access from external threat actors.