MySQL and Silentbanker

Posted on January 29, 2008
Filed Under Internet, Open Source/Freeware, Security, Software |

I’m really having a bad week with the news that Sun has bought MySQL and this Silentbanker Trojan thing appearing out of nowhere. I mean as far as MySQL goes, something just seems out of sorts when a giant like Sun gobbles up a — for the most part — open source database product like MySQL that powers much of the Internet. It just feels wrong. And a new insidious Trojan? Yep, bad week.

MySQL is a database engine that powers huge Internet sites like YouTube, Flickr, Technorati, Facebook, FeedBurner, Wikipedia, Yahoo! Finance, and del.icio.us to name a few. Sage changed the backend database of their highly successful (at least in Canada) Simply Accounting from Microsoft Access to MySQL in Simply Accounting 2008. MySQL has provided paid support for their product but it can be downloaded and used free of charge.

If you’ve ever read a PC magazine or enjoyed a tech podcast, you’ve likely stumbled across John C. Dvorak, he’s a well regarded in the IT community and his take on the Sun/MySQL deal goes like this “The move, announced earlier this week, is potentially a disaster for the entire sector…”

Dvorak goes on to suggest that ultimately the buyout was orchestrated by Oracle Corp whose own database product is the most threatened by such a low cost, powerful, and widely used database as MySQL. Dvorak concludes that “The original MySQL will simply vanish over time, along with Sun’s billion. Exactly how painful this transition will be for current users of MySQL remains to be seen.” You can read the Dvorak post at http://tinyurl.com/2o3×8e

And then, just when you felt really comfortable doing your banking on the Internet, along comes a new threat to ruin your fun. Silentbanker is being billed as one of the most sophisticated Trojans to hit the Internet and it has the ability to remain completely transparent while it robs you blind. The good news is… well there really isn’t any except possibly that Symantec considers the Silentbanker threat to be low.

One blogger puts it well when he says “The days of robbing banks in person are fading as fast as the gas prices are rising…” Silentbanker was discovered on December 17, 2007 and uses web exploits to download itself and a configuration file that lists the domain names of 400 banks. It uses those domain names to hijack a users session with their bank and redirect transactions to the attackers own bank accounts.

The exploit itself is a common “man in the middle attack” where data is intercepted by someone “listening in” to your online session with a friend or online store, but not often a bank. Sure, there have been plenty of phishing exploits in the past number of years where a bogus email etc. will try to lure someone to a web page that looks a lot like their bank — or possibly to a PayPal lookalike — where they might enter their bank card number and password which the exploiter can then steal.

This one is different though. While it can capture keystrokes, that’s not all it does. It actually intercepts the communication between your computer and the bank and redirects your activities somewhere else. When you log onto the bank you actually send your bank card number and password to the attacker and you notice nothing out of the ordinary.

There seems to be some confusion out there as to who is getting attacked, the user or the bank. It is indeed the user and that’s another element of Silentbanker that’s disquieting. It is able to load itself onto your computer simply by taking advantage of web exploits. No need to open an attachment in an email, no infected file to download, Silentbanker can install itself simply by visiting the wrong web site.

So, is there need to panic? The Sun/MySQL thing is going to play itself out regardless so there likely isn’t much point panicking about it. Likewise, the antivirus vendors are delivering signatures for Silentbanker so the standard security practises are in order:

And most importantly, stay informed.

Comments

Leave a Reply

You must be logged in to post a comment.