Symantec published a blog post yesterday regarding MySQL and the Trojan.Chikdos.A as can be seen here
The Symantec post gives detail into the behavior of the Trojan and it’s effects on the Windows system registry, yet gives little detail as to how the required first stage (namely a malicious UDF) is injected, citing:
“In the latest Chikdos campaign that we observed, the attackers likely used an automated scanner or possibly a worm to compromise MySQL servers and install the UDF.”
I’m going to give my thoughts on the pre-requisites to infection here.
- The MySQL server has poor network isolation (i.e. is likely accessible from everywhere e.g. shodan.io examples)
- The MySQL user has poor (read: overly permissive) grants e.g. “GRANT ALL”
- The MySQL @@GLOBAL.plugin_dir is writeable (likely poor file ACL & no D.A.C such as SELinux / AppArmor)
This is pretty much the exact same method I discussed at PLUK13 and updated to be discussed again at PLMCE14. There are YouTube videos embedded in each showing the attack aimed at a Linux deployment. The above 3 pre-requisite points, however, should still hold true on Windows.
So what is the real takeaway here?
- Ensure you properly isolate your MySQL service on the network, allowing access from only known hosts which require access.
- There really is no reason at all to have the service accessible from everywhere on the Internet
- Ensure your user grants follow the Principle of Least Privilege; aka, only grant the required access for the user to do the job they are supposed to be doing.
- Never EVER chmod 777 / setenforce 0
I can see that last point raising some arguments; please keep in mind we’re talking about the security of your MySQL data here. Simply turning off security measures “to make it work” is a recipe for disaster.