Trojan using MS SQL ??

Well its my first post in 2010 :) … rather late, apologize for that.

Recently came across a Trojan sample that actually connects to a Database server and does some SQL commands ! This is the first time I saw something like this.

Normally, Backdoors and other malware use HTTP interfaces (POST/GET commands) to talk to their command servers, but in this case the malware was talking directly to the Microsoft SQL Server using standard DB commands on TCP port 1433.

After looking around for details on this Trojan, I realized that this malware was one of the components that a variant of Zbot downloads.  Not many AV vendors detected this malware sample.

Once executed, the Trojan attempts to connect  to dbsq0002.whservidor.com on TCP port 1433. I don’t exactly speak TDS (Tabular Data Stream) format but from the looks of it, it tries to access “estargames1” DB and then executes the following SQL command -

SELECT * from TBL_002 where localizador = A0D23C2E

If the Query does not return any results, it goes ahead makes an entry into the database using -

INSERT into TBL_002 (localizador,data,horas) VALUES (‘A0D23C2E’, ‘2/3/2009’, ‘11:09:29 AM’)

The string “A0D23C2E” appears to be random and keeps changing with every infection.

Now the fact the some cares to install a Microsoft SQL database on standard port open facing internet  is really funny ! :) Makes me wonder what’s the exact intention of this malware ? – Is it some online gaming server as the name suggest or is the malware author trying to track the infections of its Trojan ??

Drop me a comment if you have more info on this !