Ddostf Botnet Deploying Attackf on MySQL Servers
The 'Ddostf' botnet is focusing its activity on MySQL servers with the aim of taking control and offering their DDoS capabilities as a service to other cybercriminals.
Researchers at AhnLab Security Emergency Response Center (ASEC) found this threat while regularly checking for dangers targeting database servers. ASEC reveals that Ddostf's operators exploit weaknesses in MySQL setups that haven't been updated or try to break in by guessing weak passwords of administrator accounts. They actively scan the internet for exposed MySQL servers, attempting to breach them by trying various administrator credentials.
For Windows MySQL servers, the attackers use a feature known as user-defined functions (UDFs) to run commands on the compromised system. UDFs in MySQL let users create functions in C or C++ and compile them into a DLL file, expanding the database server's capabilities.
In this case, the attackers create their own UDFs and register them with the database server as a DLL file (amd.dll) with malicious functions, including downloading Ddostf DDoS bot payloads, executing system-level commands, and sending command execution results to the attackers. This UDF abuse helps load the main payload of the attack, the Ddostf bot client, but it could also potentially lead to other malware installations, data theft, and creating backdoors for persistent access.
Origins of the Ddostf Botnet
Ddostf, a Chinese-origin malware botnet detected around seven years ago, targets both Linux and Windows systems. On Windows, it ensures persistence by posing as a system service during its initial run and then decrypts its command and control (C2) configuration to establish a connection. The malware gathers information about the host system, such as CPU details, language, Windows version, and network speed, sending this data to its C2.
The C2 server can then send various commands to the botnet client, including different types of DDoS attacks, requests to stop sending system status info, switching to a new C2 address, or downloading and executing a new payload. ASEC notes that Ddostf's ability to connect to a new C2 address sets it apart from most DDoS botnet malware, making it more resilient against takedowns.
To safeguard against these threats, the cybersecurity company recommends MySQL administrators keep their systems updated and use long, unique passwords to protect against brute force and dictionary attacks.