In a new twist on an old problem, online criminals have been found leveraging SQL injection vulnerabilities to insert UDFs into MySQL servers. The UDFs are used to install malware which allows attackers to use the typically large amounts of bandwidth available on database servers to launch distributed denial of service attacks.
MySQL is a hugely popular relational database that is used on many millions of websites and web applications — everything from WordPress blogs to enterprise eCommerce operations rely on one or more MySQL databases to manage data.
The exact vector of the attack has yet to be discovered, but it’s suspected that SQL injection attacks are the first step. SQL injection attacks exploit flaws in application design to influence SQL servers like MySQL to run arbitrary code. In this case, the attackers may be using SQL injection or some other means to cause database servers to run a User Defined Function.
User Defined Functions are, as the name suggests, functions created by database users to add functionality that wouldn’t otherwise exist. They’re written in C or C++ and typically they are stored on the server’s filesystem. UDFs are useful because they allow for the creation of functions that are fast compared to stored procedures and easy to develop, unlike native functions.
In this case, attackers are exploiting UDFs to cause database servers to download malicious software that gives the attacker control over the server. In the attack documented by Symantec, the Chikdos Trojan is installed and used to initiate denial of service attacks against targets in the US, China, and elsewhere. One of the US victims is a web hosting company.
If attacks are leveraging SQL injection attacks, then the mitigation steps are to follow coding best practices when developing web applications and ensure that SQL injection is not possible.
SQL injection attacks are not the only potential vector for the Chikdos malware, which was first discovered to be installed on machines compromised by brute force attacks against SSH servers. This is the same method used by the XOR botnet, which has been getting headlines recently as the cause of multiple hundred gigabyte denial of service attacks.
There’s no reason at all that a properly configured Linux server should be vulnerable to this sort of brute force attack; mitigation here is straightforward — use long, random passwords or move away from passwords to key-based logins. Any sufficiently complex password will render brute force attacks useless — attackers are looking for the low-hanging fruit.