Symantec researchers found MySQL servers around the globe are infected with a malware program dubbed Chikdos that has variants for both Windows and Linux. This malware has the capability of launching distributed denial of service (DDoS) attacks.
Although, the security researcher did not endorse its media statement with the fact that this attack has been made on MySQL servers located on a global note. It has indeed stressed on the detail that hackers are exploiting SQL injection flaws to infect most of the MySQL servers located worldwide.
Symantec says that this Trojan was first discovered in 2013 by incident responders from the Polish Computer Emergency Response Team (CERT.PL). At that time it was specified that the malware was being installed on servers after using Brute Force dictionary attacks to guess SSH (Secure Shell) login credentials.
The new attack observed by Symantec says that it abuses user-defined function (UDF) capability of the MySQL database engine. UDF allows developers to extend the functionality of MySQL with complied code.
Symantec believes that attackers exploit SQL injection vulnerabilities in order to inject malicious UDF code in databases. They then use the DUMP SQL command to save the injected code as a library file that is later executed by the MySQL process.
The malicious UDF code downloads and installs the Chikdos Trojan, which allows attackers to abuse the server’s bandwidth for DDoS attacks.
According to Symantec, servers located in China, India, USA, South Korea, Mexico, Canada, Italy, Malaysia, Nigeria, Turkey, Brazil, and Netherlands are said to be infected with this Trojan.
During Symantec analysis, it was found that servers used to launch DDoS attacks against a US hosting provider with a Chinese IP address. But the source origination was somewhere from African region.
Since, MySQL servers have high bandwidth, launching DDoS campaigns against them creates more damage than normal servers.
Symantec advised that website owners should avoid running SQL servers with admin privileges and should follow best programming practices for migrating SQL injections vulnerabilities.