Since UDF files allow a MySQL server to initiate more complex operations on the server, to which regular SQL commands have no access, the attackers are calling the UDF file, which then downloads a more dangerous trojan detected as Trojan.Chikdos.A.
This trojan is a variant of the Trojan.Chikdos malware, specialized in carrying out DDoS attacks.
Webmasters that want to check if this malware has infected them should look for randomly named .dll files in the following folders: \Lib\, \Lib\plugin\, and \Bin\.
According to Symantec telemetry, the majority of the compromised servers are in India, followed by China, Brazil and the Netherlands.
This campaign is actively used in the wild against US and Chinese victims
Symantec telemetry data confirms that this exploit is actively being used in the wild even now, with most infected MySQL servers being located in India, China, Brazil, Holland, and the US.
DDoS attacks detected originating from these MySQL servers have targeted a US-based hosting provider, and an IP address in China.
The reason hackers are targeting and infecting MySQL servers is connected to their widespread adoption, a large collection of ready-available MySQL vulnerabilities disclosed by security researchers, and the easy availability of hacking tools specifically designed to target flaws in MySQL servers.
Why SQL servers?
Given that Trojan.Chikdos.A is used to perform DDoS attacks from the infected system, we believe that the attackers compromised MySQL servers to take advantage of their large bandwidth. With these resources, the attackers could launch bigger DDoS campaigns than if they used traditional consumer targets.MySQL is also the second most popular database management system in the world, giving the attackers a wide range of potential targets
