Ddostf Botnet Deploying Attackf on MySQL Servers

The 'Ddostf' botnet is focusing its activity on MySQL servers with the aim of taking control and offering their DDoS capabilities as a service to other cybercriminals.

Researchers at AhnLab Security Emergency Response Center (ASEC) found this threat while regularly checking for dangers targeting database servers. ASEC reveals that Ddostf's operators exploit weaknesses in MySQL setups that haven't been updated or try to break in by guessing weak passwords of administrator accounts. They actively scan the internet for exposed MySQL servers, attempting to breach them by trying various administrator credentials.

For Windows MySQL servers, the attackers use a feature known as user-defined functions (UDFs) to run commands on the compromised system. UDFs in MySQL let users create functions in C or C++ and compile them into a DLL file, expanding the database server's capabilities.

In this case, the attackers create their own UDFs and register them with the database server as a DLL file (amd.dll) with malicious functions, including downloading Ddostf DDoS bot payloads, executing system-level commands, and sending command execution results to the attackers. This UDF abuse helps load the main payload of the attack, the Ddostf bot client, but it could also potentially lead to other malware installations, data theft, and creating backdoors for persistent access.

Origins of the Ddostf Botnet

Ddostf, a Chinese-origin malware botnet detected around seven years ago, targets both Linux and Windows systems. On Windows, it ensures persistence by posing as a system service during its initial run and then decrypts its command and control (C2) configuration to establish a connection. The malware gathers information about the host system, such as CPU details, language, Windows version, and network speed, sending this data to its C2.

The C2 server can then send various commands to the botnet client, including different types of DDoS attacks, requests to stop sending system status info, switching to a new C2 address, or downloading and executing a new payload. ASEC notes that Ddostf's ability to connect to a new C2 address sets it apart from most DDoS botnet malware, making it more resilient against takedowns.

To safeguard against these threats, the cybersecurity company recommends MySQL administrators keep their systems updated and use long, unique passwords to protect against brute force and dictionary attacks.

November 17, 2023
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.