Malware which uses a shared hosting database, essentially in a service-based model, has been detected.
According to research by Imperva, the Database-as-a-Service (DBaaS) model allows them to set up a shared platform to host command and control (C&C) servers. Imperva claimed that this model gives illegitimate users easier access to data, from both inside and outside the service, and to do botnet management and as an infrastructure for both infection and data exfiltration.
The concept was detected this summer when malware used a popular MSSQL hosting service for its C&C functionality as well as for its storage and discovered that it was using a cloud database service. “Overall, we found five different C&C databases and two storage databases hosted with the same service provider. Two of them were found on the same server hosting the original C&C database,” it said.
Upon infection of a victim, the research found that the malware initialises a connection to a remote (hosted) MSSQL database server and the malware uses the local SQLOLEDB provider for this communication. The logon process to the database is done over SSL, making the logon credentials encrypted.
The analysis found that in total, about 350 compromised machines were registered in the databases it analysed and all of the infections occurred between February and June of 2013. The databases were also well organised and had the same table structure and contained the same set of user defined stored procedures.
“Given all the evidence, it seems that criminal hackers are only a small step away from using off-the-shelf malware for generic database access inside the enterprise. Once their motivation and business model becomes clear, whatever they lack in terms of technology they are certain to achieve. At that point, internal data stores of many more organizations are going to be part of the attack surface,” it said.
“Our research suggests that we will soon see autonomous malware targeting internal databases within organisations – which we believe would lead to a greater risk of infection and compromise within a network,” said Amichai Shulman, chief technology officer at Imperva.
