MySQL.com was compromised and was being used to serve malware to visitors running Windows for a short time Monday. The Oracle-owned site quickly responded to the hack, however, and removed the malware to stop the infections.
Security vendor Armorize Technologies discovered the attack early Monday morning. According to Armorize chief executive Wayne Huang in a blog post, “it exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java,…), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge.”
Armorize also added that “the visitor doesn’t need to click or agree to anything; simply visiting MySQL.com with a vulnerable browsing platform will result in an infection.”
Huang claimed that his team had yet to discover what the goal of the attack was but, typically, attackers install malware to create botnet computers that can be rented out or to steal the victims’ passwords. He also added that he didn’t know how dangerous the infection would be to the systems hit and that it would still be running even after a reboot of the machine.
The middle, redirection site was found to be located in Germany, while the final site that actually housed the malware was located in Sweden.
The Armorize blog also showed a video explaining how the infection spread on the visitors’ machines. It added that only 4 out of 44 vendors on the VirusTotal site could detect the malware.
~Hillary O'Rourke, Contributor