The MySQL Database
The malware constructs a MySQL statement, INSERT INTO pakote.infect (tudo) VALUES ('PCNAME') that, when executed, stores your computer name into a table titled 'infect'. This statement is issued to and executed by a remote MySQL database, which is actually provided freely by a hosting service called db4free. Not surprisingly, the ability for the malware to make database-driven calls was made possible with the use of an already existing library called Zeoslib, a popular Delphi component that allows for communication with a variety of databases such as MySQL, MS SQL, and Sybase.
How It Works
Before any major actions are taken by the malware, it first retrieves a .txt file from a remote server. Here is a screenshot of the HTTP request:
As you can see, the .txt file acts as a configuration file, which has the hostname of the MySQL database as well as the required credentials needed to access or update its contents. This schema works well as the author can create numerous accounts on various free database providers instead of being bound to one hardcoded account. Hence, if a host is taken down, all the author must do is simply update the .txt file with a different hostname and credentials. Connecting to the database via phpMyAdmin reveals the following:
The 'infect' table holds the computer names of all infected hosts as denoted by the lower highlighted area. The other tables, denoted by the left highlighted area, are for stolen credentials from specific companies. If you go to the 'conf' table, you will realize this table is used as a configuration file by the malware and gives additional information about the targeted attacks. Column names of modmsn, modorkut, modred, modita, modcci, and modccc can be seen with corresponding URLs that point to remote executables. It becomes quite apparent after analysis of the executables that the column names describe the targeted service. Hence, modccc attacks CrediCardCiti users via local content injection, modita targets Itau users, and so on. For more on what local content injection is and how it works see our earlier blog on encrypted strings and content injection.
This is a relatively unique piece of malware because it uses a remote MySQL database to store stolen credentials as well as retrieve additional malicious scripts or modules. It also has creative methods of propagation, including local content injection in Orkut, which contrasts with the typical method of spreading via harvested MSN contacts.
We want to give kudos to Flixster for identifying and closing the open redirector without any notification on our part. It is responsible security practices such as these that keep users safe, as shown in this blog posting.
Security Researcher: Elad Sharf & Joren McReynolds