MySQL.com Hit By Malware Infection

Unknown attackers compromised the main website of open-source database MySQL and served malware to unsuspecting visitors for a short period of time on 26 September.

Attackers injected JavaScript code on MySQL.com, owned by Oracle, to divert visitors to malicious websites hosting the BlackHole exploit kit, which automatically downloaded malware to the victimised computers, according to Wayne Huange, founder, president and chief executive of Armorize Technologies. The company said the attack has been disabled and the site is no longer serving up malware.

Malicious JavaScript

The main page of MySQL.com was compromised to force visitors to load a JavaScript file, Huang wrote on the Armorize blog. The file created an IFRAME that redirected the victim unknowingly to a page hosted at falosfax.in, hosted in Florida and again to a .cx.cc domain hosted in Sweden.

Once on the page, the BlackHole kit hosted on the site exploited the user’s web browser and installed plug-ins to download malware. Attackers modified a JavaScript file used by the Omniture SiteCatalyst plug-in, used to track website metrics, for this attack.

“The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection,” Huang wrote.

BlackHole is a widely used kit that contains pre-loaded exploits for vulnerabilities in web browsers and in other web components and plug-ins, such as Flash Player, Adobe Reader and Java. It takes advantage of unpatched software to compromise the machine. The drive-by-download attack is a common technique and often relies on JavaScript to silently redirect users to malicious sites without their knowing.

Eight out of 44 major security vendors currently detect the malware, according to malware tracker VirusTotal.

Root access sold

Trend Micro researchers found evidence that attackers were selling root access to some of the cluster servers of mysql.com and its subdomains on underground criminal forums. The seller was offering a shell console window with root access to these servers for $3,000 (£1,900), Maxim Goncharov, a senior threat researcher at Trend Micro wrote on the Malware blog.

Cyber-criminals are “brazen” enough to sell administrative access to specific systems, Goncharov wrote.

It appears that the site was initially compromised by a JavaScript malware which is often related to stolen FTP passwords, according to researchers at Sucuri Security. The malware likely compromised a computer belonging to a member of the MySQL.com team and stole the password from the FTP client, Sucuri researchers wrote on the blog.

MySQL is an open-source database that originally was owned by an independent entity, but was purchased by Sun Microsystems in 2008. It later became part of Oracle when that company bought Sun in 2009. Trend Micro’s Goncharov said the team contacted MySQL last week but hadn’t received a response. The site appeared to be serving up malware for about a three-hour window in the middle of the day.

With root access available for sale, it is possible that the malicious perpetrator who originally compromised mysql.com is not the one responsible for the BlackHole attack that served up malware on the site.