Security Market Segment LS
Thursday, 29 October 2015 10:55

MySQL Windows servers come under malware attack Featured


Researchers at Symantec say they have discovered a form of malware that attacks MySQL on Windows servers, using them to launch distributed denial of service attacks.

The malware, which Symantec has named Trojan.Chikdos, is injected into MySQL using SQL injection techniques, through a malicious user-defined function which has been dubbed Downloader.Chikdos.

Trojan.Chikdos runs on Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Vista, and Windows XP, according to Symantec, while Downloader.Chikdos infects Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, and Windows XP.

Most of the servers that are affected are located in India, China, Brazil and the Netherlands. Compromised servers were being used to attack a Chinese IP address and an American hosting provider, Symantec said.

The Chikdos malware was first documented in 2013, when it was found to be targeting both Linux and Windows servers. However, in this particular instance, only Windows servers running MySQL are affected.

The Symantec researchers said it was likely that the attackers had used an automated scanner or possibly a worm to compromise the servers and install the user-defined function; such a function "is compiled code that can be called from within MySQL to accomplish some function beyond what the database management system can offer. The UDF lives as a file on the server’s file system".

Symantec said variants of Downloader.Chikdos were often randomly named .dll files, the same extension that Windows library files have. The variants could be located in the Lib\, Lib\plugin and Bin\ folders of the MySQL installation.

When the downloader was activated it would make changes as listed under to the Windows registry to enable TerminalServices, which enable a user to control a Windows computer remotely:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache\“Enabled” = “0”
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\“EnableAdminTSRemote” = “1”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD\“Start” = “2”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\“Start” = “2”
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\“TSEnabled” = “1”
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\“fDenyTSConnections” = “0”

After the crackers gained this access, then the malware would download files from URLs that were hardcoded.

Symantec said it was likely that MySQL servers were chosen because they had more bandwidth and would thus enable bigger attacks.

It is likely that the compromised servers do not have data worth stealing, else it is difficult to rationalise the launching of a DDoS attack.


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


Sam Varghese

website statistics

Sam Varghese has been writing for iTWire since 2006, a year after the site came into existence. For nearly a decade thereafter, he wrote mostly about free and open source software, based on his own use of this genre of software. Since May 2016, he has been writing across many areas of technology. He has been a journalist for nearly 40 years in India (Indian Express and Deccan Herald), the UAE (Khaleej Times) and Australia (Daily Commercial News (now defunct) and The Age). His personal blog is titled Irregular Expression.



Recent Comments