Database as a Service, otherwise known as DBaaS, has been discovered as a new malware platform for cyber-criminals.
According to research by Imperva, the DBaaS model allows them to set up a shared platform to host command and control (C&C) servers. This model gives illegitimate users easier access to data from both inside and outside the service. The operation also serves as a botnet management tool and as an infrastructure for both infection and data exfiltration.
Upon infection of a victim, the research found that the malware initialises a connection to a remote (hosted) MSSQL database server and the malware uses the local SQLOLEDB provider for this communication. The log-on process to the database is done over SSL, making the log-on credentials encrypted.
The analysis found that in total, about 350 compromised machines were registered in the databases it analysed and all of the infections occurred between February and June of 2013. The databases were also well organised and had the same table structure and contained the same set of user defined stored procedures.
“Our research suggests that we will soon see autonomous malware targeting internal databases within organisations – which we believe would lead to a greater risk of infection and compromise within a network,” said Amichai Shulman, chief technology officer at Imperva.
“While there is quite a lot of information on how endpoints become infected as well as on what the Command and Control (C&C) communication looks like (IP reputation, etc.), there is almost none on what the threat looks like from enterprise data centre point of view. There are lots of discussions about the need to share information, and for a good reason. Unfortunately, these discussions have not necessarily translated into actual sharing.”