Malware & MySQL – Believe it!June 3, 2008 – 11:16 AM
Most malware tends to store stolen credentials and information in make-shift text files, which are then forwarded to the author via email or another protocol. However, the use of scalable and robust solutions is becoming more popular in the malware community. In fact, it is becoming increasingly popular for malware to parse remote text files to determine the locations of additional malicious modules to download. This gives the author some dynamic flexibility versus the typical approach of hardcoding executable locations. Today we will look at an example that has additional scalability in mind, as it actually uses a remote MySQL database to store its stolen information and retrieve additional malicious modules and script code.
The MySQL Database
The malware constructs a MySQL statement, INSERT INTO pakote.infect (tudo) VALUES (‘PCNAME’) that, when executed, stores your computer name into a table titled ‘infect’. This statement is issued to and executed by a remote MySQL database, which is actually provided freely by a hosting service called db4free. Not surprisingly, the ability for the malware to make database-driven calls was made possible with the use of an already existing library called Zeoslib, a popular Delphi component that allows for communication with a variety of databases such as MySQL, MS SQL, and Sybase.