Have you, or your anti-virus software, noticed a file called ‘cna12.dll’ on your computer? Have you suddenly found that you have an imaginary friend called ‘piress’ whom you didn’t know about? If so, you may have fallen victim to a MySQL attack (and ‘piress’ may not be so imaginary, nor friendly for that matter).
What is MySQL?
MySQL is a database server, so basically it is an application used to store all sorts of different information. For instance, it can store information on what products a shop has in stock, along with the cost price, retail price, and quantity of each product. Information in a database can then be retrieved and displayed on web pages.
The MySQL software is now owned by Oracle.
Who is at risk?
If you are running a MySQL server on Windows, and your MySQL server is accessible from the Internet, then you are at risk. It then comes down to how strong your MySQL password(s) is(are), and how secure your Windows and MySQL installations are.
Note that you may be running a MySQL server even though you didn’t explicitly install one, as other applications that you have installed may depend on it and have automatically installed it. For instance, the BigBrotherBot (B3) automated game server administration application requires MySQL.
The XAMPP (Apache, MySQL, PHP, and Perl) distribution contains MySQL and admits to being wide open security wise. Given that they also state that phpMyAdmin is accessible via the network, you may have also had attackers exploiting that.
Windows users can tell if they have been infected by this particular attack by checking for a piress user, and by checking the MySQL plugin and bin folders for the file cna12.dll.
The location of the MySQL plugin and bin folders can vary between MySQL versions so if you don’t know where they are and think that you stand about as much chance of finding them as you do of finding your way home after a good night out on the town, you can get Windows to search for a file called cna12.dll. The process of finding files varies slightly between the different versions of Windows, so consult the Windows Help documentation if necessary.
Linux users can still be attacked, however the attack won’t work because it was written for MySQL servers on a Windows platform. Linux users can tell if they have been a target of this attack by checking the /var/lib/mysql/mysql/ directory (which may differ between different Linux distributions/installations) as shown here:
root@hostname:...# cd /var/lib/mysql/mysql root@hostname:/var/lib/mysql/mysql# ls -al *cna12* -rw-rw-rw- 1 mysql mysql 3584 Nov 3 00:03 \usr\lib\mysql\plugin\\ cna12.dll root@hostname:/var/lib/mysql/mysql# md5sum -b *cna12* \a922d55a873d4ad0bbbbbc8147a3a65a *\\usr\\lib\\mysql\\plugin\\\\cna12.dll
If you are having trouble finding the MySQL plugin directory on your Linux box, you can always search the whole system by issuing the following command (if it doesn’t display anything, then the file wasn’t found):
find / -iname \*cna12.dll\* -ls
In both cases (Windows and Linux), the time stamp of the file will tell you when you were last infected by this attack.
How does the attack work?
The attack involves breaking in to your MySQL server by brute forcing, that is repeatedly trying to guess, the root user’s password. The MySQL root user is the MySQL administrator, and is the MySQL equivalent of the Administrator user under Windows and of the root (funnily enough) user under Linux.
Once the password has been successfully guessed, the attack is able to use any MySQL commands as the MySQL administrator.
What does the attack do?
The attack starts off by attempting to save the cna12.dll file to the MySQL plugin folder and to the MySQL bin folder. That file contains Windows program code that essentially adds functionality to the MySQL server. That is, it is a plugin that allows MySQL, or MySQL commands, to do things that it/they wouldn’t have otherwise been able to do.
cna12.dll is reasonably small (only 3,584 bytes) and doesn’t do much. However, what it does do is pretty serious because it gives the attacker the chance to pretty much run anything on your MySQL server, and the potential to use your server (and hence your files) with administrator privileges.
cna12.dll creates a new SQL (Structured Query Language) function called xpdl3(). SQL is a language that is commonly used to store and retrieve information from databases.
The xpdl3() function first creates a user account called piress, and adds that user to the Administrators group. This means that the attacker can now log on to your computer using the piress user and have administrator rights — that is, they will be able to do anything on that computer that you can do (assuming that you are an administrator).
The xpdl3() function then takes the URI (Uniform Resource Identifier) of a file, downloads it from the Internet, saves it as c:\isetup.exe, runs it on your server, and then deletes the downloaded isetup.exe file. A URI instructs applications on where to find a file on the Internet and how to fetch it, and it is what appears in the location bar of your web browser.
How can I recover from the attack?
This will be tricky, simply because the cna12.dll file allows the attacker to download and run any file that they want to. As such, you can’t be sure what has run on your computer after the cna12.dll file was loaded. Almost every different instance of this attack downloads a different malicious application.
Removing the piress user account and deleting the cna12.dll file(s) will be a good place to start, but apart from shutting the server down and checking each file on the disk against a known good copy, or for malicious content, the only way to be certain that your system is clean would be to rebuild it by reinstalling Windows and all the applications.
Scan your server with up-to-date anti-virus software and signatures. It may also be worth using a rootkit scanner. However, be on the look-out for fake anti-virus and rootkit scanners, which are merely trojans with malicious intent.
How can I protect myself from the attack?
There are quite a few conditions that need to be met in order for this attack to be successful:
- The MySQL server must be accessible from the Internet
- The root user’s password must be guessed
- The MySQL Windows account must be able to write to the MySQL program folders, namely its plugins and/or bin folder(s)
- The MySQL server must be able to access web servers on the Internet
I notice that part of the documentation for XAMPP admits to conditions 1 and 2 and warns you about it.
Accessible MySQL server
This is pretty obvious — an attacker can’t attack your system if they can’t get to it. As a good rule of thumb, you should only allow access to systems that actually need it. It is generally considered a bad idea to allow Internet access to your database and other servers which generally only store and process data.
Good design involves placing a user interface system, such as a web site, between the database server (or other back-end system(s)) and the Internet/users. Access to the database server can then be restricted to the web server.
Guessable password
The second reason that this attack was able to succeed was because it managed to guess a password. Make sure that ALL of your accounts have good passwords on them. By good, I mean passwords that aren’t easily guessable. This attack tried a long list of passwords to gain access to the root user’s account.
Be wary of default accounts, that is any account installed by the vendor/manufacturer. The user names and passwords of these accounts are often well-known, as an Internet search for the phrase default passwords will show.
Also watch out for test/dummy user accounts. These accounts are often given weak (easily guessable) passwords, and as such, can easily be a source of entry in to your system(s).
Writeable program folders
The third reason that this attack was able to succeed was because it was able to write a file to the MySQL plugin folder. As a general rule, it is not a good idea to allow applications to have write permissions to their own folders, mainly for precisely this reaason. If you think about it, if an application gets compromised, as the MySQL server did in this attack, and it can write to its own program folders, then it can modify or replace its own program files with malicious versions.
This is especially bad if the application supports plugins, which MySQL does, for reasons which are nicely demonstrated by this attack — the attack creates a malicious plugin and then runs it.
Internet access from the server
If a server such as your MySQL server has access to the Internet, then a successful attack can download further malicious content from the Internet and connect to other servers to infect them.
Not letting an Internet accessible server connect to the Internet for the same service that it is providing, goes a long way in helping to prevent an infection spreading. It also makes it easier to spot a possible infection by detecting any unnecessary attempt that that server makes to access the Internet.
For instance, don’t allow your MySQL server to connect to other MySQL servers on the Internet. This is like knowing that the human influenza virus spreads by coughing and sneezing, and consequently covering your mouth when you cough and sneeze. By knowing how the virus spreads you can stop it from being able to do so.
Then, configure your firewall or other network equipment to alert you (or at least to log) any attempts made by your MySQL server to access other MySQL servers on the Internet. This is checking for signs of infection and, in a way, would be like testing the contents of your handkerchief/tissue after sneezing, for virus cells.
A better approach, of course, is to not allow your servers access to the Internet at all, other than for services which they actually need (like DNS for instance). If you can, provide such services internally or proxy them.
Conclusion
So, if you have found either cna12.dll or a user called piress on your system, then things don’t look good. Remove the piress user as soon as you can, as that user account will allow anyone who knows the password to log on to Windows as an administrator.
You should also find all instances (there may be more than one) of the cna12.dll file and delete them. Note that you may need to stop the MySQL server to do so.
The main problem with this attack is that you don’t know what the attacker has installed using cna12.dll or by using the piress user account created by cna12.dll. Consequently, the easiest way to recover from such an attack would probably be to rebuild your server. That is, reinstall Windows and any applications.
It is possible to check for changes and files left by any other malicious software which may have been installed, but this isn’t necessarily easy, especially if extra malicious applications were installed in order to hide the existence of malicious applications (read about rootkits).
I have not yet been able to analyse the malicious applications that the attack attempts to download, mainly because my lab setup wasn’t automatically detecting and extracting them. I recently tweaked it so that it will automatically detect and extract the malicious applications for future attacks of this type.
If you are interested, you can read my technical analysis of the attacks series.
My computer is infected with this specific malware. I have an updated anti virus software running. However the piress account comes up once in a while. For me a full format is not an option at the moment. If I get rid of MySql completely will it be of any help?
Thank you
jake
Hi Jake,
My apologies for taking so long to reply but I wanted to verify the technical accuracy of my response, include as much information as possible, and I had quite a bit on my plate including some paid work (which obviously has to take priority).
Anyway, it got to the point where my reply was so long that I just turned it in to a new blog post instead.
Basically yes, if you can uninstall MySQL then do so. If not, attempt to block the inbound MySQL connections by using network firewall/routers (if you have them) or your ADSL modem.
I’d also configure Windows Firewall on your MySQL server to stop inbound (and preferably outbound) MySQL connections (by disabling access to the MySQL program from the Internet), by using the Exceptions tab to allow TCP port 3306 but specify the scope to be any of your internal hosts that need to access it.
You can also reconfigure MySQL to only allow connections from the MySQL server itself.
It would also be a good idea to modify Windows NTFS permissions to stop the attack from being able to create DLL and EXE files in the MySQL program folders. This, however, won’t stop the attacks from getting access to your server, but only serve to disrupt them and stop them from being able to save the cna12.dll file and run the function in it. It is more an attempt to stop attacks working should they reach your server.
Hope this information and/or the new blog post helps.
Musingly,
Karl.
Pingback: How to protect yourself from the cna12.dll MySQL attacks « Malware Musings
Hi Karl,
That s really good finding. I have been a victim since last 9 months, I couldnt find an answer until now. Thanks.
Hi Roopesh,
Yeah, I noticed that people were finding my pages as a result of Google searches for ‘cna12.dll’. When I tried the same Google search I found people asking what it was and how to get rid of it, but no real answers.
Thanks for the feedback — it’s good to know that someone is finding these pages helpful.
Musingly,
Karl.
Hi Karl,
thanks for your in-dept analysis.
my PC recently got attacked by piress account virus I deleted that Account, I found cna12.dll in mySQL folder so I deleted it also , my Avasta antivirus blocked isetup.exe so can I say my system is safe as Avasta blocked it?
Also can changing MySQL root password after an attack be helpful ?
thanks.
Hi Rohit,
That’s cool — it is good to know that some people are finding it useful.
If you haven’t already, have a read of the follow up post .
I wouldn’t like to say that your system is definitely safe, as I am reluctant to say that anything other than a complete rebuild would guarantee cleanliness — mainly because I don’t know what it is that I don’t know. Just because I can’t think of a way to bypass a piece of security, doesn’t mean that someone else hasn’t.
Having said that, your system should certainly be a tad safer than it was 🙂
I haven’t yet analysed ‘isetup.exe’, and even if I had, we’d need to confirm that your ‘isetup.exe’ is the same as the one that I’d analysed, plus there are too many other variables. For instance, the ‘cna12.dll’ file isn’t, by itself, particularly malicious. It is just that it is very easy to use it for malicious purposes, like downloading more malicious software like the copy of ‘isetup.exe’ that your anti-virus software found, for instance. Hence we can’t necessarily be certain that ‘isetup.exe’ is the only malicious software that was downloaded.
As for Avasta blocking ‘isetup.exe’, see if you can determine whether or not ‘isetup.exe’ actually ran. I recently examined a friend’s laptop where their anti-virus software quarantined a .exe file, however there was an entry for it in the C:\Windows\Prefetch folder, and a Windows Defender report that it modified registry entries, suggesting that it still executed (which raises the question of when does the prefetch file get created and when does the anti-virus software check the file and block it).
If you can, check the C:\Windows\Prefetch\ folder for a file with the name ‘isetup.exe-….pf’ file, but bear in mind that the legitimate, is it Internet Explorer installer(?), is also called isetup.exe and will show up in the prefetch directory with a similar name. I think later versions of Windows may have stopped you from being able to see files in the prefetch folder, so you may need to examine the disk by adding it to another system (Linux boxes are good for this), if possible.
Yes, definitely change your MySQL root user’s password, as that will help to prevent the same attack (and other attacks that rely on guessing your password) from working again.
Musingly,
Karl.
Many thanks for your article. I found it really easy to understand and completely logical.
Thanks Vivek — I’m hoping people are finding it useful,
Karl.