DDoS Protection , Fraud Management & Cybercrime , Next-Generation Technologies & Secure Development

Malware Used to Launch DDoS Attacks

Attackers Compromise High-Bandwidth MySQL Servers
Malware Used to Launch DDoS Attacks

Attackers have been using the Chikdos malware to compromise high-bandwidth MySQL servers around the world for the purpose of launching distributed denial-of-service attacks, according to security firm Symantec.

See Also: Cyber Insurance Assessment Readiness Checklist

Security researcher Gavin O Gorman of Symantec says the company has seen a spike in DDoS attacks that trace to Chikdos-infected Windows systems.

Beyond that particular piece of malware, however, numerous security experts have been warning that the quantity of DDoS attacks has been surging, aided in part by a growing number of Linux servers becoming infected with DDoS malware. Many DDoS disruptions have also been lasting longer. Security firm Kaspersky Lab reports that the longest such attack that it has witnessed this year ran for about 320 hours, or 13 days, besting the year's previous record of 205 hours, or 8.5 days.

Chikdos Targets MySQL Servers

Symantec says that it does not know which attacker or groups have been using Chikdos to infect servers, nor did it specify which organizations' servers had been compromised. But it said the majority of targeted servers are located in India, China, Brazil and the Netherlands. Two of the compromised servers identified by Symantec were also launching DDoS attacks against a U.S. hosting provider, as well as an IP address based in China.

Gorman says that blocking these recent attacks from MySQL servers requires administrators to lock down those servers, for example, by not allowing them to be run with administrator-level privileges, keeping them patched as well as proactively testing for - and eliminating - all SQL injection vulnerabilities. In addition, "check for the presence of new user accounts and ensure that remote access services are configured securely," he says.

The Chikdos malware was first spotted in the wild infecting both Linux and Windows systems in December 2013 by Poland's computer emergency response team, CERT Polska.

More recent variants of the malware have been targeting servers that run MySQL, which is the world's second most popular database management system. "Given that Chikdos is used to perform DDoS attacks from the infected system, we believe that the attackers compromised MySQL servers to take advantage of their large bandwidth," Gorman says. "With these resources, the attackers could launch bigger DDoS campaigns than if they used traditional consumer targets."

Similar behavior was seen in the long-running DDoS attacks against U.S. financial services firms from 2012 to 2013 - known as Operation Ababil - which involved attackers compromising a large number of high-bandwidth PHP servers from which they launched their attacks.

CCTV Botnet Launches Attacks

On a smaller scale, researchers at DDoS defense firm Imperva Incapsula last month reported finding that 900 Internet-connected CCTVs - closed circuit television devices - from around the world had been compromised and used to launch HTTP flooding attacks against unnamed Imperva clients. This type of DDoS attack uses HTTP browser requests to attempt to overwhelm a targeted Web server.

"The attack was run of the mill, peaking at 20,000 requests per second," the researchers say. "Further investigation of the offending IPs showed that they belonged to CCTV cameras, all accessible via their default login credentials." They add that their findings highlight the threat posed by all Internet of Things devices that ship with default credentials, which are easy for attackers to access if those credentials remain unchanged (see The Internet of Buggy Things).

"Whether it is a router, a WiFi access point or a CCTV camera, default factory credentials are there only to be changed upon installation," the researchers say. "Please do so."

DDoS Attacks Surge

Beyond the Chikdos and CCTV infections, DDoS-related attacks continue to increase. Indeed, from June to September, DDoS defense firm Verisign reports that the number of DDoS attacks it saw in the wild increased by 53 percent. Imperva Incapsula says that in the same timeframe, it saw attacks increase by 109 percent.

Meanwhile, Kaspersky Lab says that it has seen the percentage of DDoS attacks launched by Linux-infected systems - versus Windows - grow to 46 percent from 38 percent.

DDoS attacks remain a favorite tool sold and utilized by cybercrime gangs, including Lizard Squad, because they are relatively simple to launch, can be very effective at disrupting websites and also seem to attract a nonstop number of buyers. In part, that's because gangs such as DDoS for Bitcoin - or DD4BC - have found that just threatening to disrupt an organization's website can be a lucrative extortion technique (see: FFIEC Issues Extortion Attack Alert).

Theoretically, the criminals who provide these DDoS-for-hire services might be arrested and their services shuttered. But as security expert Troy Hunt has noted, the cross-border nature of many DDoS services - providers, customers and victims may all be located in different countries - means that to date, law enforcement agencies appear to have had little success in dismantling DDoS-as-a-service rings (see How Do We Catch Cybercrime Kingpins?).

About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.