Well, this is embarrassing. MySQL.com has been hacked (fixed by now), and was turned into a platform serving malware to unsuspecting visitors. The criminals did this by injecting a script which redirected visitors to a website which uses the BlackHole exploit pack, which probes the browser used and serves up an appropriate exploit. Computer security blogger Brian Krebs saw root access to MySQL.com being offered for $3000 only a few days ago.
Armorize was the first to detail how the exploit works – and in quite some detail, too, including code samples and such. Basically, a script redirects the visitor to a website which hosts a BlackHole exploit pack.
“[The BlackHole exploit pack] exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge,” Armorize explains, “The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.”
This piece of malware is only detected by a small number of security software packages (4 our of 44). What, exactly, the malware does is a mystery – and by that I mean a mystery to me, since nobody seems to mention what it does.
Interestingly enough, a few days ago, Krebz noted that on an exclusive Russsian hacker forum, someone by the nickname of ‘sourcecode’ offered root access to MySQL.com, which is a very lucrative site to attack due to its 12 million visitors per month. The hacked version of MySQL.com was up for seven hours, meaning 12000 visitors were exposed to the BlackHole exploit pack.
“The ultimate irony of this attack is that the owner of mysql.com is Oracle Corp., which also owns Java, a software suite that I have often advised readers to avoid due to its numerous security and update problems,” Krebz notes, “As I’ve noted in several blog posts, Java exploits are the single most effective attacks used by exploit kits like BlackHole; currently, four out of nine of the exploits built into BlackHole attack Java vulnerabilities.”
Well, I need Java for Minecraft. So there.
In case you’re curious to see what happened when an unsuspecting user browsed to the compromised site, Armorize has posted a video showing what happened.