Somebody once said..

"If you convince people that the wheel isn't right, they will allow you to re-invent it"

Wednesday, February 3, 2010

Trojan using MS SQL ??

Well its my first post in 2010 :) … rather late, apologize for that.

Recently came across a Trojan sample that actually connects to a Database server and does some SQL commands ! This is the first time I saw something like this.

Normally, Backdoors and other malware use HTTP interfaces (POST/GET commands) to talk to their command servers, but in this case the malware was talking directly to the Microsoft SQL Server using standard DB commands on TCP port 1433.


After looking around for details on this Trojan, I realized that this malware was one of the components that a variant of Zbot downloads.  Not many AV vendors detected this malware sample.

Once executed, the Trojan attempts to connect  to on TCP port 1433. I don’t exactly speak TDS (Tabular Data Stream) format but from the looks of it, it tries to access “estargames1” DB and then executes the following SQL command -

SELECT * from TBL_002 where localizador = A0D23C2E

If the Query does not return any results, it goes ahead makes an entry into the database using -

INSERT into TBL_002 (localizador,data,horas) VALUES (‘A0D23C2E’, ‘2/3/2009’, ‘11:09:29 AM’)

The string “A0D23C2E” appears to be random and keeps changing with every infection.

Now the fact the some cares to install a Microsoft SQL database on standard port open facing internet  is really funny ! :) Makes me wonder what’s the exact intention of this malware ? – Is it some online gaming server as the name suggest or is the malware author trying to track the infections of its Trojan ??

Drop me a comment if you have more info on this !

1 comment:

  1. Probably you have already got this info, but "localizador" is a portuguese word that can be translated as "tracking id".

    From what I'm able to see on your screen capture, your malware was making a select call followed by a insert one. Both this sql queries used the same value for the "localizador" field. I can also identify that there are 2 additional columns used on the insert sql query: "data" which means "date" and "horas" which means "hours".

    Is it possible that the malware sample you have identified is "calling home" and updating its status?
    Can you correlate the "A0D23C2E" with your ip address?

    Just my 2 cents.