Want CNET to notify you of price drops and the latest stories?

Hacked MySQL.com used to serve Windows malware

Open-source software provider cleans up infection but back doors may remain, Armorize says.

Elinor Mills Former Staff Writer
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service and the Associated Press.
Elinor Mills
2 min read
This screenshot is from the Armorize video created to show exactly how a visitor to MySQL.com was infected before the infection was cleaned up.
This screenshot is from the Armorize video created to show exactly how a visitor to MySQL.com was infected before the infection was cleaned up. Armorize

The MySQL site, whose open-source repository serves some of the most popular Web sites, has been hacked and was being used to serve malware to visitors running Windows before it was cleaned up today, a security firm said.

Armorize Chief Executive Wayne Huang and some of his firm's researchers warned about the attack in a blog post today.

MySQL.com acted quickly to remove the malware so computers would stop getting infected, but Huang told CNET he did not know how long site visitors were vulnerable or how many may have been infected. Armorize estimated that MySQL.com gets more than 100,000 page views a day and more than 34,000 unique daily visitors.

"The infection rate tends to be high for these types of attacks," he said. "They handled it very quickly but that doesn't mean they cleaned up the backdoors the attackers left" on the site.

Huang said he did not know how dangerous an infection would be to a computer that was hit with one, except to say that the malware would be very difficult to clean up and would still be running on the machine even after a reboot.

"We haven't gone in depth in analyzing what this particular piece of malware does," he said. "We know it changes some of your Windows .dlls (Dynamic-link libraries), probably to make sure it is permanently installed and running all the time. You may be able to clean it up, but it won't be a trivial process."

MySQL.com representatives could not be reached for comment this afternoon. Representatives from Oracle, which owns MySQL.com, did not immediately respond to e-mails and calls seeking comment.

Before the infection was removed, the compromise redirected traffic to a BlackHole exploit pack that forces the browser to install a piece of malware on the machine, according to the Armorize Malware Blog.

"It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java,...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge," the blog says. "The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection."

The Armorize blog also has a video showing how a visitor's machine could have gotten infected from the MySQL.com site. Only 4 out of 44 vendors on VirusTotal site can detect the malware, Armorize said.

Meanwhile, Brian Krebs of the Krebs on Security blog said he had noticed someone selling administrative access to MySQL.com on an exclusive Russian underground hacker forum a few days ago for $3,000.

"i think it's very likely that it's related, esp with these Russian forums," said Huang.