The main Web site of MySql.com has been compromised and on Monday afternoon was serving malware to visitors for a short time through the use of JavaScript redirects. The site, which is owned by Oracle, was sending victims off to a remote site that is using the BlackHole exploit kit to install malware on their machines.
The attack uses several stages and bounces victims to a couple of different sites during the process. Researchers at Armorize found that the main home page of MySql.com was compromised sometime on Monday and discovered that visitors hitting the site were quietly forced to load a JavaScript file. That file eventually creates an iframe that then redirects the victim to a page hosted at falosfax.in and then on to another page at hxxp://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php. The attack was disabled by mid-afternoon Monday.
Once on that page, the victim’s machine was attacked by the BlackHole exploit kit, which the remote site apparently is hosting, according to Armorize’s research. BlackHole is one of a number of exploit packs that is in wide use right now, and it contains pre-loaded exploits for vulnerabilities in browsers, as well as common components and plug-ins such as Flash.
“This domain hosts the BlackHole exploit pack. It exploits the visitor’s browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, …), and upon successful exploitation, permanently installs a piece of malware into the visitor’s machine, without the visitor’s knowledge. The visitor doesn’t need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection,” Armorize’s Wayne Huang said in a blog poast.
The intermediate redirection site is located in Germany, while the final site that’s serving the exploits is apparently located in Sweden. This kind of drive-by download attack is quite common and has been a favorite technique of attackers for several years now, and it often involves using JavaScript to redirect users to one or more sites in order to land them on a page that ultimately serves them malware.
MySQL is a database platform that originally was owned by an independent entity, but was purchased by Sun Microsystems in 2008, and later became part of Oracle when that company bought Sun in 2009.