A site that offers “the most popular open source database” and boasts nearly 12 million visitors per month (almost 400,000 per day), is therefore an ideal tool to spread malware.
Attackers used a BlackHole exploit kit, an automated exploit toolkit that probes visiting browsers for a variety of known security holes. Unfortunately, the Armorize team had not yet figured out what the malicious software that it installed was designed to do.
Only 4 out of 44 anti-virus programs could detect this malware – said Wayne Huang, Armorize’s CEO.
He thinks the malicious code was on the site for 7 hours, before the issue had been cleaned up by the Oracle team. If that’s accurate, that was enough time for approximately 120,000 Internet users to browse the site and expose their systems to the exploit kit.
This attack may be connected with a user of one of the blackhat underground forum with the handle ‘sourcec0de‘, who was offering root access to some of the cluster servers of mysql.com and its subdomains (see the screenshot taken by a TrendLabs researcher):
Highly trafficked open-source websites such as MySQL.com have been hit very hard in recent months. In the past weeks the Linux Foundation was forced to take a number of websites offline, including Kernel.org repositories.
You can see a detailed description of the attack in this article.