Security Audit

Our Web Application Pentest ( WAP) attempts to address the Owasp top 10 & SANS top 20 web application vulnerabilities and other exploitable loopholes of your web application . Along with it our WAP team also test web applications for Business logic flaws that can directly or indirectly effect the functioning of application.

Trainings

We are here to help you solve your biggest query- where and how to start? CDI has brought various courses in Ethical Hacking in Chandigarh where all you technology lovers will be given the much needed push to move forward and create a niche for yourself in the field. From Beginner to Expert level we have many kinds of training patterns.

Call Us : +91-771045-0011 | +91-771045-0022

Beware MySQL servers! Trojan Chikdos ahead!

Posted By: Ljsingh / Oct 29, 2015 / 

Beware MySQL servers! Trojan Chikdos ahead!

A malware is discovered by the researchers of Symantec. This malware attacks MySQL on windows servers and after that use all the servers to launch DDOS (Distributed Denial of Service).

                                         

They said that the name of the malware is “Trojan Chikdos”. Using SQL Injection techniques this malware could be injected into MySQL, through a malicious user-defined function named Downloader.Chikdos.

According to Symantec following operating systems are infected by Trojan.Chikdos:

·         Windows 2000 

·         Windows 95

·         Windows 98

·         Windows Me

·         Windows NT

·         Windows XP

·         Windows Vista

Operating systems infected by Downloader.Chikdos:

·         Windows 7

·         Windows 95

·         Windows Server 2003

·         Windows XP

·         Windows Server 2008

·         Windows 2000

·         Windows Vista

·         Windows Me

·         Windows NT

In this instance only windows servers are using MySQL that’s why these are affected. But in 2013 when the Chikdos was firstly documented, it was found to be targeting both Linux and Windows servers. Symantec said, Compromised servers were being used to attack with a Chinese IP address .An American hosting provider was also in use. The mostly affected servers are located in Netherlands, Brazil, China and INDIA.

The attackers had used an automated scanner and a worm to hack the servers. After that they install the user-defined function which compiled a code that can be called from within the MySQL. On the server’s file system UDF lives as a file .

The variants of Downloader.Chikdos were often randomly named .dll files. This is the extension which is used by Windows library files system. These variants could be located in the Lib\, Lib\plugin and Bin\ folders of the MySQL.

After making itself activated the downloader would make following changes in the Windows registry files to activate its terminal services:

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer\“EnableAdminTSRemote” = “1”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService\“Start” = “2”

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\“fDenyTSConnections” = “0”

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache\“Enabled” = “0”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD\“Start” = “2”

From the URL’s, malware would download the hardcoded files. It happens when the attackers gained the access. All of this could be the result of Distributed Denial of Service attack (DDoS).

Leave a Reply

Name
Email id
Contact No
Comment

See more of Cyber Intelligence by logging in.
Connect with cyber security experts,Discover job opportunities,Online Training, Information Security Advisory and lot more.