(Credit: Wayne Huang, Chris Hsiao, NightCola Lin)
HackAlert 24x7 Website malware monitoring platform today indicated that mysql.com has been hacked and is currently serving malware. The highlighted section of the above screenshot is the injected script. Below is a video showing how visitors are infected when navigating to the site:
Step 1: http://www.mysql.com
Causes the visiting browser to load the following:
Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011
This is the injection point. The entire content of the above .js file can be found here.
The injected section is shown in the above screenshot. The decoded version is as follows:
available here. This script generates an iframe to Step 3.
Step 3: http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/
Throws out a 302 redirect to Step 4.
Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php
This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.
Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.
We don't know much at this point. The following are information regarding the associated malicious domains.
falosfax.in (Step 3)
Location: Germany / Berlin
Created On:20-Jun-2011 13:17:05 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Registrant Name:CHRISTOPHER J KLEIN
Registrant Street1:7880 SW 132 STREET
Registrant Postal Code:33156
Admin Name:CHRISTOPHER J KLEIN
Admin Street1:7880 SW 132 STREET
Admin Postal Code:33156
Admin Phone Ext.:
Admin FAX Ext.:
truruhfhqnviaosdpruejeslsuy.cx.cc (Step 4)
Location: Sweden / Stockholm
The mysql.com website is as of now, still serving this exploit and malware.
We're in the process of contacting mysql.com. If anyone have contacts to them, please drop us an email at firstname.lastname@example.org
PS: Armorize is hiring presales in the bay area: http://www.linkedin.com/jobs/post?displayJobStatus=&jobId=1910971&split_page=1