Archived Blog

Malware & MySQL - Believe it!

06.03.2008 - 10:26 AM

Most malware tends to store stolen credentials and information in make-shift text files, which are then forwarded to the author via email or another protocol. However, the use of scalable and robust solutions is becoming more popular in the malware community. In fact, it is becoming increasingly popular for malware to parse remote text files to determine the locations of additional malicious modules to download. This gives the author some dynamic flexibility versus the typical approach of hardcoding executable locations. Today we will look at an example that has additional scalability in mind, as it actually uses a remote MySQL database to store its stolen information and retrieve additional malicious modules and script code.

The MySQL Database

The malware constructs a MySQL statement, INSERT INTO pakote.infect (tudo) VALUES ('PCNAME') that, when executed, stores your computer name into a table titled 'infect'. This statement is issued to and executed by a remote MySQL database, which is actually provided freely by a hosting service called db4free. Not surprisingly, the ability for the malware to make database-driven calls was made possible with the use of an already existing library called Zeoslib, a popular Delphi component that allows for communication with a variety of databases such as MySQL, MS SQL, and Sybase.

How It Works

Before any major actions are taken by the malware, it first retrieves a .txt file from a remote server. Here is a screenshot of the HTTP request:

As you can see, the .txt file acts as a configuration file, which has the hostname of the MySQL database as well as the required credentials needed to access or update its contents. This schema works well as the author can create numerous accounts on various free database providers instead of being bound to one hardcoded account. Hence, if a host is taken down, all the author must do is simply update the .txt file with a different hostname and credentials. Connecting to the database via phpMyAdmin reveals the following:

The 'infect' table holds the computer names of all infected hosts as denoted by the lower highlighted area. The other tables, denoted by the left highlighted area, are for stolen credentials from specific companies. If you go to the 'conf' table, you will realize this table is used as a configuration file by the malware and gives additional information about the targeted attacks. Column names of modmsn, modorkut, modred, modita, modcci, and modccc can be seen with corresponding URLs that point to remote executables. It becomes quite apparent after analysis of the executables that the column names describe the targeted service. Hence, modccc attacks CrediCardCiti users via local content injection, modita targets Itau users, and so on. For more on what local content injection is and how it works see our earlier blog on encrypted strings and content injection.

One of the more interesting executables is the modorkut piece, which injects a JavaScript file into the browser. This file posts Orkut scrapbook messages with a malicious URL that downloads the same piece of malware. The URL included in the scrapbook postings was made less conspicuous by using an open redirector which has fortunately been closed. The example below illustrates this:

Conclusions

This is a relatively unique piece of malware because it uses a remote MySQL database to store stolen credentials as well as retrieve additional malicious scripts or modules. It also has creative methods of propagation, including local content injection in Orkut, which contrasts with the typical method of spreading via harvested MSN contacts.

We want to give kudos to Flixster for identifying and closing the open redirector without any notification on our part. It is responsible security practices such as these that keep users safe, as shown in this blog posting.

Security Researcher: Elad Sharf & Joren McReynolds

Bookmark This Post: