A security firm revealed today that mysql.com, the central repository for widely-used Web database software, was hacked and booby-trapped to serve visitors with malicious software. The disclosure caught my eye because just a few days ago I saw evidence that administrative access to mysql.com was being sold in the hacker underground for just $3,000.
Web security firm Armorize stated in its blog that mysql.com was poisoned with a script that invisibly redirects visitors to a Web site that uses the BlackHole exploit pack, an automated exploit toolkit that probes visiting browsers for a variety of known security holes.
“It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” say the researchers. “The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”
Late last week, I was lurking on a fairly exclusive Russian hacker forum and stumbled upon a member selling root access to mysql.com. As part of his pitch, which was published on the criminal forum Sept. 21, the seller called attention to the site’s daily and monthly stats, and posted screen shots of a root login prompt in a bid to prove his wares.
The seller, ominously using the nickname “sourcec0de,” points out that mysql.com is a prime piece of real estate for anyone looking to plant an exploit kit: It boasts nearly 12 million visitors per month — almost 400,000 per day — and is ranked the 649th most-visited site by Alexa (Alexa currently rates it at 637).
He offered to sell remote access to the first person who paid him at least USD $3,000, via the site’s escrow service, which guarantees that both parties are satisfied with the transaction before releasing the funds.
The ultimate irony of this attack is that the owner of mysql.com is Oracle Corp., which also owns Java, a software suite that I have often advised readers to avoid due to its numerous security and update problems. As I’ve noted in several blog posts, Java exploits are the single most effective attacks used by exploit kits like BlackHole: Currently, four out of nine of the exploits built into BlackHole attack Java vulnerabilities.
Of course, the apparent criminal sale of mysql.com and the subsequent compromise of the site could be just a coincidence. Armorize’s Wayne Huang said the infection was cleaned up not long after the company published its blog post. Huang said it’s not clear how long mysql.com had been compromised, but that it appears the malicious scripts were injected into the site sometime within the last seven hours. If that’s accurate, that was enough time for approximately 120,000 Internet users to browse the site and expose their systems to the exploit kit.
“From our experience, the infection rate is usually pretty high for these drive-by download infections,” Huang said.
Armorize has published a YouTube video (below) that shows what happened when an unpatched browser visited mysql.com during the time it was infected with the drive-by exploit.
Update, Oct. 7, 12:30 a.m. ET: MySQL.com now features the following message, left on Oct. 4. “In light of a recent security incident, customers are advised to update their antivirus definitions and run a full antivirus scan on all computers that accessed the MySQL site between September 20th, 2011 and September 28th, 2011. Also, out of an abundance of caution, we advise MySQL account holders to then change their MySQL account passwords.”
In the last paragraph, you state ‘unpatched browser’ but I think you mean ‘unpatched Java’. The video shows the use of a java exploit – which is likely independent of the browser.
Well, that’s one way of putting it. But nearly all of these exploit kit attacks target browser plugins, and this is no exception: Java is a standalone application, true, but it also hooks into the browser as a plugin.
Last Updated: 2011-09-26 21:50:32 UTC – “… now been cleaned up on mysql .com but no further words on the scope of the compromise. It also appears to be the second time this year*. In the last incident, SQL injection was used to gain access to the information on the site.”
March 28, 2011
On this screen shot from forum it date says
Thu Feb 11 UTC 2010
Jun 21 UTC 2010
Does it mean MySQL.com was compromised over a year and a half?
No, those dates are simply part of the kernel version string for each system, nothing to do with compromise.
No, that’s the date the kernel was built on that MySQL.com box (output from “uname -a”)
Look more closely at the screenshot, the thread was posted September 21, 2011 at 5:43 (and edited at 5:44).
Let’s be clear and not sensationalist here. Java is a computer language, not a security hole. The browser plugins enable Applets written in Java (the language) to be run within a browser and within the Java virtual machine (which runs the language). The VM has certainly had issues over the years, but the language itself is not the security hole.
I’m not sure the point of trying to make some wild connection between a MySQL server being hacked (which has nothing to do with Java), Java, Oracle and security issues. I’m not really sure what you are trying to say here, but again, it sounds sensationalist. You’d be better off sticking with just reporting about the break-in and keeping the rest of the analysis off your site.
To be fair, you’re right, but: we already do this anyway. The fundamental flaw is tied into the way browser architecture functions, with Java being the hardest to secure access route to those vulnerabilities. So, is it more sensational to say “Java is a security hole” or to say that “every browser you could use is a security hole?”
The real irony is we’re talking about an SQL venue here, because it’s in that same range of simply being a programing language that can be exploited with malicious intent as well.
What evidence do you have that suggests Java (the virtual machine vs. the language) is the hardest to secure access route?
Anyway, my real point is that bringing up Java security in an article about a website break in seems kind of sensational for a blog about ‘security’.
Did you happen to miss the part about how the Web site break in was used to install an exploit kit that exploited Java vulnerabilities more than any other? Not sure how you can say Java is irrelevant here.
My name is Jon.
Sorry about misspelling your name, Jon. So you’re a Java developer. I get it.
Just to more fully answer your question, here are the version release notes from the author of the BlackHole exploit kit. See if you can spot how many times he talks about new Java exploits. Finally, check out his sample stats page image to see what a moneymaker Java vulns have been for users of this exploit pack.
“The new version 1.1.0 of innovation – is a complete rewrite. Before issuing the java sploit, it is checking the version of JRE and only if the version is potentially vulnerable is an attempt [made] to punch through and overwrite existing exploits.
java smb no longer asks to install the plugin when approaching the link, and other changes (iepeers) removed because of no relevance
added 2 new exploit java trust (including breaks to 1.6.0_23 – this is the penultimate version at the moment). just added java skyline significantly increased breaking for some types of traffic nearly doubled, this is an example stats…”
Nothing good to say… java is slow… i havent installed that since many years… even… if i had too… i always removed it… thats a piece of software that i really… dislike…
…was that really you lurking the site? http://blog.trendmicro.com/underground-radar-possible-compromise-of-mysql-com-and-its-subdomains/
Hrm. Jonathan, what are you suggesting?
For Jon, and any other doubters:
Looks like they are arguing a bit in the thread:
My comment has nothing to do with a love of Java (the language). Although, I do love it as it has served me well over the years.
What I’m more getting at is that by not being specific about what you are talking about, you are sensationalizing your story in order to group the entire Java ecosystem (language, Java VM, Applets, Browsers, Oracle, MySQL, etc.) into this horrible dangerous thing.
The reality is that *all* you are talking about is Applets and maybe a bit of the Java WebStart crap. Both of which are effectively dead technology. It is unfortunate that they are still runnable across a wide range of platforms. It is also unfortunate that, after all of these years, Microsoft also has a horribly insecure platform that makes it really easy to push out payloads to. Applets != Java… Applets are Applets and that happens to be executed by a platform that Sunacle effectively dropped 10 years ago. Flash is another language running in a special VM (not Java) that is also horribly insecure and people are working to replace that too. If Ruby could run in the browser I’m sure you’d write an article talking about how insecure it is as well. The fact of the matter is that while there are holes in Java Applets, for the most part they have been pretty secure over the years. The sad issue is that one small hole affects ~800million people.
So, when you somehow correlate all of these seemingly separate things together into one big lump sum, I’m sure it gets you more clicks on your blog because the newbs out there just here your keyword ‘Java’ and think… oh, that is going to cause my machine to go into fits so that is big bad evil. But again, the reality here is that Java, the language, is used to power ALL of the major websites. I know, I used it to build one of the largest hardcore porn sites on the net and I also worked on a system where $billions of Online AdSpend/year are being passed through Java. It is an exceptionally stable and well respected language used by millions of developers.
Please make your distinctions.
“The reality is that *all* you are talking about is Applets and maybe a bit of the Java WebStart crap. Both of which are effectively dead technology.”
I couldn’t agree more. Unfortunately, this “crap,” “dead” technology is installed on about 80 percent of the computers out there today, even if most people have zero need for it.
Most users aren’t interested in the philosophical and emotional debate you’re having with yourself about what parts of Java are fun and great and which parts aren’t. The average user installs Java and forgets about it.
We can blame Sun for how insecure it has been, and Microsoft for not building a better operating system, but that doesn’t change the fact that the Java program that users have on their systems is a huge liability for non-security conscious users, which describes a majority of the planet, I’m afraid.
I agree. The part of ‘Java’ which is more ‘fun’ is which ever gets you more hits on your blog! Thank you for providing such ‘In-depth security news and investigation.’ I’m sure the masses feel more informed about the big scary ‘Java’ dangers thanks to your ‘expert’ analysis. Speaking of which, do you actually write code or just words?
All this talk about java made me want some coffee.
Mr. Krebs, if you actually saw evidence of the Mysql hack sale last week and failed to promptly notify the authorities and company about that, then you should be put against the wall, shot summarily and left hanging by the feet from a lamppost until a crow plucks out your eyes, then off for burial in un-consecrated land.
Hackers and their collaborators should be dealt with the same way Sir Isaac Newton, head of the Royal Mint, ended forgery of money and tax evasion in early 1700s London. He realized the GRAVITY of the problem and had any perpetrators hanged, many foreigners among them. Oh, good ol’ morals and laws, where are thou?
“good ol’ morals and laws, where are thou” Summarily dismissed as soon as the evidence became compelling that it didn’t work? I’m not interested in a moronic, “bring back hanging” argument. There is so much evidence both by comparing countries today and using historical data that anyone who thinks capital punishment works is, at best, deluded and, at worst, mentally deluded.
What Mr. Krebs did is like learning about 9/11/01 a week in advance, and not telling anyone, because he wanted to write a well-paying, first-to-streets newpaper article about the flaming death of app. 3000 twin tower victims. This time he wanted to write about the screwing of 170k mysql visitors, many thousands of whom definitely saw their computers die due to the infection.
Cannot see the difference, as cybercrime is not a lesser crime compared to the “real world”, because cyber is also very real today. Mr. Krebs is a traitor, feds best hang him as an example or send him to Supermax for a miserable life term.
Lax morals and weeney punishment is best way to national collapse and eventually hard-handed dictatorship. That’s what happened to the Venetian merchant republic after it stood a full 1000 years as the world’s richest state. Singapore is so desirable, strong and rich today exactly because of its heavy punishment system upholding public and private morals, encoraging patriotism and discouraging treason.
You should move to Saudi-Arabia
Trend Micro anti-virus blog says they also saw the preparations (MYSQL site illegal access auctioning) but failed in their attempts to contact MySQL or Oracle admins.
This means both Trend and Mr. Krebs failed in their most basic duties as a US subject, that is to contact the FBI and tell its cybercrime department about a FOREIGN attack organized or in perparation against a US entity. It’s a damn crime, the hell! If you see someone taking a sniper nest to shoot your neighbour, you don’t call his family, you call the SWAT!
Because of the foreign involvement, there is no journalistic immunity even for Mr. Krebs and the right of the Feds to supress foreign subterfuge against US soil at any cost, is well-based in precedents of both WWs.
Hacking is not a toy or a joke, it is deadly serious and all eye witnesses shall contact the FBI if you experience an e-attack or a preparation thereof. They will decide whether law enforcement shall work on it or if action is best transferred to the Cyber Command, if the gravity of the incident warrants US military response.
The red hacker threat is no less, then Cold War was and all americans must stand alert to russo-chicom e-attempts made on the high-tech, business and military assest of the USA.
No journalist shall try to make a profit by post-reporting a supressed cyber incident. That is unpatriotic and may be pillegal. Go to the FBI and report if you see something poitentially serious in the cyberspace! It is a shame to make laughing matter of organized e-crime and obviously state sponsored e-spionage!
Great Article as always :). Just figuring out if the Armorize File Monitor was available somewhere to download. Anyone knows?
They didn’t say that they were using a VM, but please note that a tool like Armorize (or sysinternal’s procmon – http://technet.microsoft.com/en-us/sysinternals/bb896645 ) won’t protect your system from being ruined. It just lets you see things as they happen until the bad actor starts running, at which point it could stomp all over Armorize or anything else running on the system (well, generally anyway, a privilege escalation attack might be needed to do it completely, but …).
Personally, if I were going to play with fire like this, I’d snapshot a VM and use that, and I’d probably also ensure that the VM host has no privileges and isn’t connected to any private networks. (Yes, you can attack a VM host just as you can attack an OS or a local network, there might be fewer attacks available, but it only takes one.)
I use a VM on linux for this very purpose. I can let a trojan in, disassemble it, and/or let it loose, and then restore the machine back to before it was smashed.
Very handy to get a bunch of tools installed and you always have a clean snapshot ready to go for the next round.
I did something like this when I was quite young (486 era) and had an extra computer that I would just let viruses loose on to see what they did. It was a bitch to have to format and reinstall the OS every time though haha.
Brian, 2 minutes of googling and…
this root was selling on 5 or more forums for 1 week!!!
Oracle do nothing all this time!
What I find frustrating with articles like this one is that it is difficult to know who is vulnerable. Are browsers with Java running on Linux vulnerable? From the Armorize video it appears that the Blackhole exploit pack targets Windows since the video shows .exe files being dropped. But is Blackhole context sensitive, attacking Linux when the victim is running that O/S? It would be really helpful if authors would at least say something about the scope of configurations that can be victimized. Even to say that it is not known whether Linux or Apple or whatever machines are vulnerable would be helpful.
BlackHole, and this attack in general, targets Windows users only.
What is frustrating is that you frequent a BLOG like this and expect Brian to educate you in facets of his BLOG entry. Read from his blog and then research the things you don’t understand. He provides pertinent links to assist with this.
Matter of time…. MOre and more people with inside access will start doing this, I am afraid. Cyver-War is imminent. And nation-states have enough money to create moles and get what they want. That is what happened with the case of mysql.com…That much access to a repository with that much security… Has to be inside…
It is sad how exploitable Java is…Hell, I can create a drive-by link to inject a payload in about 30 seconds… That is how bad java is… It needs to die… Fast.
poor Oracle. tsk tsk tsk… 😀
Very good article and Video! Thank you.
Good video, well done hackers! Shame they cant put their skills to something more constructive.
Windows has always been vulnerable and it always will be. The key here is that a binary file can be downloaded and executed without the users permission. That is ludicrous. Windows basically does not work!
I agree great article. Frankos I think there is a different side but Im not going to debate on hackers anymore. I dont condone what they do. I am just saying the mindset many ways is different. Because they dont come out and hold interviews. Its illegal and wrong. But there are those being paid. They are the ones being paid by companies to do such things. If people want this to stop, then rain in on the companies paying them. Patents aren’t the only thing used in Corporate warfare. Economic Espionage is very prevelant. Cracking is part of that approach. Its unfortunate but its happening
Thanks for the update Brian, I really enjoy reading your blog. It is clear that trusted websites such as mysql.com that involve downloads, no one can be sure of the validity of the links. Organizations need to ensure their network is secured with a network layer Data Leakage Prevention (DLP), which is fast becoming a necessity to prevent the breach of user/corporate data. Any enterprise that captures and distributes data and/or plug-ins needs to become hyper-vigilant. Our company, Wedge Networks has focused on building such solutions for years, and is leading efforts to prevent the good things from flowing out, but especially in this case, prevent bad things from flowing in.
I’d like to thank Wayne Huang for his efforts, and the video, and of course, Brian for bringing it to our attention! 🙂