MySQL servers targeted by 'Ddostf' DDoS-as-a-Service botnet

MySQL servers are being targeted by the 'Ddostf' malware botnet to enslave them for a DDoS-as-a-Service platform whose firepower is rented to other cybercriminals.

This campaign was discovered by researchers at the AhnLab Security Emergency Response Center (ASEC) during their regular monitoring of threats targeting database servers.

ASEC reports that Ddostf's operators either leverage vulnerabilities in unpatched MySQL environments or brute-force weak administrator account credentials to breach the servers.

Exploitation of UDF

The attackers are scanning the internet for exposed MySQL servers and, when found, attempt to breach them by brute-forcing administrator credentials.

For Windows MySQL servers, the threat actors use a feature called user-defined functions (UDFs) to execute commands on the breached system.

UDF is a MySQL feature that allows users to define functions in C or C++ and compile them into a DLL (dynamic link library) file that extends the capabilities of the database server.

The attackers, in this case, create their own UDFs and register them with the database server as a DLL file (amd.dll) with the following malicious functions:

• Downloading payloads like the Ddostf DDoS bot from a remote server.
• Executing arbitrary system-level commands sent by the attackers.
• Output the results of command execution to a temporary file and send them to the attackers.

The UDF abuse facilitates loading the primary payload of this attack, the Ddostf bot client. 

However, it can also potentially allow other malware installation, data exfiltration, creation of backdoors for persistent access, and more.

Ddostf details

Ddostf is a malware botnet of Chinese origin, first spotted in the wild roughly seven years ago, and targets both Linux and Windows systems.

On Windows, it establishes persistence by registering itself as a system service upon first running and then decrypts its C2 (command and control) configuration to establish a connection.

The malware profiles the host system and sends data such as CPU frequency and number of cores, language information, Windows version, network speed, etc., to its C2.

The C2 server may send DDoS attack commands to the botnet client, including SYN Flood, UDP Flood, and HTTP GET/POST Flood attack types, request to stop transmitting system status info, switch to a new C2 address, or download and execute a new payload.

ASEC comments that Ddostf's ability to connect to a new C2 address makes it stand out from most DDoS botnet malware and is an element that gives it resilience against takedowns.

The cybersecurity company suggests that MySQL admins apply the latest updates and pick long, unique passwords to protect admin accounts from brute force and dictionary attacks.