Ddostf Botnet Deploying Attackf on MySQL Servers

The 'Ddostf' botnet is focusing its activity on MySQL servers with the aim of taking control and offering their DDoS capabilities as a service to other cybercriminals.

Researchers at AhnLab Security Emergency Response Center (ASEC) found this threat while regularly checking for dangers targeting database servers. ASEC reveals that Ddostf's operators exploit weaknesses in MySQL setups that haven't been updated or try to break in by guessing weak passwords of administrator accounts. They actively scan the internet for exposed MySQL servers, attempting to breach them by trying various administrator credentials.

For Windows MySQL servers, the attackers use a feature known as user-defined functions (UDFs) to run commands on the compromised system. UDFs in MySQL let users create functions in C or C++ and compile them into a DLL file, expanding the database server's capabilities.

In this case, the attackers create their own UDFs and register them with the database server as a DLL file (amd.dll) with malicious functions, including downloading Ddostf DDoS bot payloads, executing system-level commands, and sending command execution results to the attackers. This UDF abuse helps load the main payload of the attack, the Ddostf bot client, but it could also potentially lead to other malware installations, data theft, and creating backdoors for persistent access.

Origins of the Ddostf Botnet

Ddostf, a Chinese-origin malware botnet detected around seven years ago, targets both Linux and Windows systems. On Windows, it ensures persistence by posing as a system service during its initial run and then decrypts its command and control (C2) configuration to establish a connection. The malware gathers information about the host system, such as CPU details, language, Windows version, and network speed, sending this data to its C2.

The C2 server can then send various commands to the botnet client, including different types of DDoS attacks, requests to stop sending system status info, switching to a new C2 address, or downloading and executing a new payload. ASEC notes that Ddostf's ability to connect to a new C2 address sets it apart from most DDoS botnet malware, making it more resilient against takedowns.

To safeguard against these threats, the cybersecurity company recommends MySQL administrators keep their systems updated and use long, unique passwords to protect against brute force and dictionary attacks.

By Zaib
November 17, 2023
Computer Security
English
November 17, 2023
Computer Security

Popular Posts

As Fears of the Coronavirus Pandemic Spread, So Does...

4 years ago

Microsoft Warns State-Backed Threat Actors Are Using AI in...

4 days ago

Trojan Al11 Malware Detection & Removal - An Essential...

11 months ago

Pinaview is a Fully-Featured Adware App

10 months ago

"Your iCloud is Being Hacked" and "Your iPhone has Been...

7 months ago

What is Lucky Ransomware?

7 months ago

Related Posts

Ransomware

The GandCrab Ransomware Creators Announced Their Retirement, but Poorly Protected MySQL Servers Are Still at Risk

Shortly after its first appearance in early-2018, GandCrab's popularity grew, and it quickly became the most prominent name on the Ransomware-as-a-Service (RaaS) market. GandCrab's commercial success was so massive,... Read more

June 3, 2019
Malware

Sysrv-hello Botnet

The Sysrv-hello Botnet is a malicious project, which has been tracked closely by cybersecurity researchers since December 2020. The criminals behind this campaign are aiming to install a cryptocurrency miner on... Read more

April 26, 2021
Computer Security

Apache Tomcat Servers Targeted by Mirai Botnet Actors

Aqua has recently uncovered a concerning trend where Apache Tomcat servers that are misconfigured and poorly secured are becoming prime targets for a newly orchestrated campaign. This campaign is specifically designed... Read more

July 27, 2023
English
Loading...

Cyclonis Backup Details & Terms

The Free Basic Cyclonis Backup plan gives you 2 GB of cloud storage space with full functionality! No credit card required. Need more storage space? Purchase a larger Cyclonis Backup plan today! To learn more about our policies and pricing, see Terms of Service, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Cyclonis Password Manager Details & Terms

FREE Trial: 30-Day One-Time Offer! No credit card required for Free Trial. Full functionality for the length of the Free Trial. (Full functionality after Free Trial requires subscription purchase.) To learn more about our policies and pricing, see EULA, Privacy Policy, Discount Terms and Purchase Page. If you wish to uninstall the app, please visit the Uninstallation Instructions page.

Home

Products

Cyclonis Backup Cyclonis Password Manager Cyclonis World Time

Support

Help Files FAQs Downloads Inquiries & Support

Company

About Us Contact Us Report Abuse

Legal (Post Merger)

EnigmaSoft Limited (fka Cyclonis Limited)

Cyclonis Backup's Terms of Service Cyclonis Password Manager's EULA Cyclonis World Time's Terms of Service Privacy Policy Cookie Policy Special Discount Offer Terms Additional Terms & Conditions SpyHunter EULA RegHunter EULA EnigmaSoft Privacy Policy & Cookie Policy ESG Privacy Policy & Cookie Policy EnigmaSoft Discount Offer Terms ESG Discount Offer Terms

© 2017-2024 Cyclonis Ltd. CYCLONIS is a trademark of EnigmaSoft Limited (Cyclonis was merged into EnigmaSoft Limited effective November 25, 2023.) All rights reserved.

Registered Office EnigmaSoft Limited: 1 Castle Street, 3rd Floor, Dublin 2 D02 XD82, Ireland.
EnigmaSoft Limited, Private Company Limited by shares, Company Registration Number 597114.

Windows is a trademark of Microsoft, registered in the U.S. and other countries.
Mac, iPhone, iPad and App Store are trademarks of Apple Inc., registered in the U.S. and other countries.
iOS is a registered trademark of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
Android and Google Play are trademarks of Google LLC.