It’s probably not surprising, given the scale of the attack, to learn that the traffic from mysql.com was being routed into a large Malware Delivery Network, one tracked by WebPulse. As such, while our customers were safe, it’s worth examining what the logs can tell us about the attack.
For this particular malnet, while some of its components have been around for many months, the actual exploit and payload servers have a much shorter lifespan. In this attack, for example, the attack host was a junk domain named truruhfhqnviaosdpruejeslsuy.cx.cc.. It showed up as one in a long line of malicious sites on a server that we had flagged as a malware host when it showed up a few days ago (9/22/2011). In the five days that it’s been in use, our logs show 81 different hosts there: in addition to several on .cx.cc, there are hosts on .info, .ms, .in, and .ai, among others.
To sum up, it looks like no special infrastructure was created to handle the traffic generated by the hidden iFrames on mysql.com. As newsworthy as this attack was, it was simply “Yet Another Traffic Driver” for a well established malnet; one that continues to go about its business today.
It was also interesting to look at some of the URLs we saw in our logs as referrers, as browsers attempted to reach the malnet:
This contributed to the main topic of discussion on the Blue Coat malware team: the price paid for access to mysql.com. If root access was indeed purchased in order to enable this attack, why would a Bad Guy pay so much [$3K sounds like a lot to us, anyway] for something that would only be active for a short period of time? Here are some theories:
- Consider the type of traffic they were buying: It’s reasonable to assume that frequent users of mysql.com are DBAs, Engineers, and Web Developers, and other technical folks (as the urls above indicate). Many of these people would presumably have logins to databases (and Web sites). The malware, at some point, could scour the victim’s computer for files with database credentials and locations. This opens up a wealth of potentially sensitive information and the ability to compromise additional systems.
- Such tech-savvy users are probably more likely to use online banking, and possibly saving up (or trying to free up credit) for that next got-to-have-gizmo. Ripe targets for banking trojans.
- This is a high-traffic site (we saw estimates in the range of 400K visitors per day), so the sheer number of visitors could be worth it by itself.
While this hack is unfortunate news for the admins of mysql.com [and the non-WebPulse-using visitors], it also provides additional evidence that the Bad Guys do not suddenly appear out the woodwork to launch large-scale attacks. Their infrastructure is already in place, and running 24/7 in their daily efforts to infect new victims. By focusing on tracking malnet infrastructure, WebPulse protects its users independently of the traffic-driving method du jour.
P.S. Tim really deserves 95% of the credit for this post, but the new blog editor only lets me credit him as a co-author. Hopefully we can get that fixed… –C.L.
Leave a reply