The malware, which Symantec has named Trojan.Chikdos, is injected into MySQL using SQL injection techniques, through a malicious user-defined function which has been dubbed Downloader.Chikdos.
Trojan.Chikdos runs on Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Vista, and Windows XP, according to Symantec, while Downloader.Chikdos infects Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows XP.
Most of the servers that are affected are located in India, China, Brazil and the Netherlands. Compromised servers were being used to attack a Chinese IP address and an American hosting provider, Symantec said.
The Chikdos malware was first documented in 2013, when it was found to be targeting both Linux and Windows servers. However, in this particular instance, only Windows servers running MySQL are affected.
Symantec said variants of Downloader.Chikdos were often randomly named .dll files, the same extension that Windows library files have. The variants could be located in the Lib\, Lib\plugin and Bin\ folders of the MySQL installation.
When the downloader was activated it would make changes as listed under to the Windows registry to enable TerminalServices, which enable a user to control a Windows computer remotely:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache\“Enabled” = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\“EnableAdminTSRemote” = “1”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD\“Start” = “2”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\“Start” = “2”
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\“TSEnabled” = “1”
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\“fDenyTSConnections” = “0”
After the crackers gained this access, then the malware would download files from URLs that were hardcoded.
Symantec said it was likely that MySQL servers were chosen because they had more bandwidth and would thus enable bigger attacks.
It is likely that the compromised servers do not have data worth stealing, else it is difficult to rationalise the launching of a DDoS attack.