A backdoor that targets Microsoft SQL servers especially was recently discovered by DCSO CyTec researchers. Extended Stored Procedures, a unique class of extension utilized by Microsoft SQL servers, are how the malware operates.
They scanned almost 600,000 servers throughout the world and discovered 285 servers in 42 countries that were compromised with this backdoor. A distinct focus on the Asia-Pacific region may be seen in the distribution.
Extended Stored Procedure
Understanding the function of an Extended Stored Procedure on a SQL server is crucial to comprehend how the malware operates. By creating an extended stored procedure, which then accesses DLL functions or procedures. The SQL Server can use dynamic link libraries (DLL) to reference extended stored procedures. Usually, lower-level languages like C or C++ are used to generate the DLLs that power the extended stored procedures.
Essentially, the Extended Contained Procedure provides result sets and returns parameters back to the server through the Extended Stored Procedure Application Programming Interface. And the functions stored in the DLL can be triggered from the client application to Microsoft SQL Server (API).
Maggie
Maggie is the name given to this threat by DCSO CyTec based on artefacts discovered in the virus. The file names itself sqlmaggieAntiVirus 64.dll and only provides a single export called maggie, according to its export directory.
Maggie implements a fully functional backdoor that is only accessible through SQL queries utilizing the Extended Stored Procedure API. The backdoor must be placed in a directory that the Microsoft SQL server may access. And the attacker must have authorized access to the server to load the Maggie Extended Stored Procedure. Otherwise, the server will never request any functions from the DLL. It is currently unknown how the initial infection occurs. However, some Microsoft SQL Server vulnerabilities may not have been addressed.
Capabilities
Once installed, Maggie provides a number of commands that enable the attacker to access files and directories, interact with the operating system, and run programmes. And carry out other network-related tasks, such as configuring port forwarding to have Maggie act as a bridge into the server’s network.
Once activated, Maggie divides the attacker’s connections from the others so that legitimate users can access the server without Maggie getting in the way. This lessens the likelihood that users may discover a problem. The division is based on an IP mask that, if the originating IP address matches the user-specified IP mask. Routes all incoming connections to a certain IP address and port.
Brute force
Once installed, Maggie provides a number of commands that enable the attacker to access files and directories, interact with the operating system, run programmes. And carry out other network-related tasks, such as configuring port forwarding to have Maggie act as a bridge into the server’s network.
Once activated, Maggie divides the attacker’s connections from the others so that legitimate users can access the server without Maggie getting in the way. This lessens the likelihood that users may discover a problem. The division is based on an IP mask that, if the originating IP address matches the user-specified IP mask. Routes all incoming connections to a certain IP address and port.
Targets
The researchers performed a scan on publicly accessible Microsoft SQL servers in order to ascertain the prevalence of the detected backdoor. Because it is dependent on the configuration of a Microsoft SQL server. On a total of about 600,000 inspected servers, the scan found 285 compromised sites.
Additionally, the scan revealed that the majority of the infected servers were based in South Korea, India, and Vietnam, with China and Taiwan coming in fourth and fifth, respectively. It appears that infections in other nations are unrelated.
