Ddostf DDoS Botnet Malware Targets MySQL Servers
Beware of a new threat in the cyber realm: the ‘Ddostf’ malware botnet is on the prowl, specifically targeting MySQL servers. This malicious botnet enslaves MySQL servers for a sinister purpose – running a DDoS-as-a-Service platform that can be rented out to other cybercriminals. The discovery of this nefarious campaign comes courtesy of the diligent researchers at the AhnLab Security Emergency Response Center (ASEC), who regularly monitor threats aimed at database servers.
Attacking MySQL Servers
The operators behind Ddostf employ a variety of tactics to compromise MySQL servers. They either exploit vulnerabilities in unpatched MySQL environments or, in a classic move, brute-force weak administrator account credentials to gain unauthorized access.
For Windows MySQL servers, the threat actors utilize a feature known as user-defined functions (UDFs) to execute commands on the compromised system. UDF is a MySQL feature that allows users to define functions in C or C++, compiling them into a DLL (dynamic link library) file that extends the capabilities of the database server.
In this particular attack, the attackers create their own UDFs and register them with the database server as a DLL file (amd.dll) housing malicious functions. These functions include downloading payloads, executing system-level commands sent by the attackers, and sending the results of command execution to the attackers. The abuse of UDFs serves as the gateway for loading the primary payload of the attack – the Ddostf bot client. However, it opens the door to other potential threats like malware installation, data exfiltration, and the creation of backdoors for persistent access.
Ddostf Malware Details
Ddostf, a malware botnet of Chinese origin, has been in the wild for approximately seven years and targets both Linux and Windows systems. On Windows, it establishes persistence by registering itself as a system service upon first running and decrypts its command and control (C2) configuration to establish a connection. The malware profiles the host system, sending various data such as CPU frequency, number of cores, language information, Windows version, and network speed to its C2.
The C2 server can issue commands to the botnet client, instructing it to perform DDoS attacks like SYN Flood, UDP Flood, and HTTP GET/POST Flood. Additionally, it can request the botnet to stop transmitting system status info, switch to a new C2 address, or download and execute a new payload. Notably, Ddostf’s ability to connect to a new C2 address sets it apart from most DDoS botnet malware, providing it with resilience against takedowns.
To safeguard against such threats, cybersecurity experts at ASEC recommend that MySQL administrators promptly apply the latest updates. Additionally, they emphasize the importance of choosing long and unique passwords to protect admin accounts from brute force and dictionary attacks. Stay vigilant, stay secure.
The sources for this article include a story from BleepingComputer.