'Programmable' malware targets specific databases

A new HTTP-programmable malware has been unleashed to access a specific database in a computer it is commanded to infect, a computer security firm said Friday. Trend Micro suspects the malware, BKDR_SOGU.A, may be related to the data breach on SK Comms, a popular South Korean social networking service provider. "One notable routine in this backdoor is its capability to access a specific database in the infected machine, and to fetch and collect data from the said database. This routine was being performed using several ODBC API such as SQLAllocHandle, SQLDriverConnect, SQLNumResultCols, SQLFetch, and SQLExecDirect," Trend Micro researcher Marco dela Vega said in a blog post. Dela Vega said the backdoor connects to and communicates with a command-and-control (C&C) server via HTTP post. According to Dela Vega, analysis showed that the remote server defines the database to be accessed and the type of information to be gathered. "So far, nothing in the code suggests that it was created solely and specifically for certain attacks. In fact, it might be used and reused as long as the malware is not detected by the network’s security software," dela Vega said. Dela Vega also said they are looking into possible connections between the new malware and an attack on SK Comms last July. Trend Micro said the data breach at SK Comms may have affected up to 35 million users (http://blog.trendmicro.com/large-data-breach-in-south-korea-data-of-35m-users-stolen). — TJD, GMA News