Hacker News new | ask | show | jobs
by dclusin 2134 days ago
Not necessarily. You could probably infer it from a MySQL client in the malware itself and the queries its making to tables and such.
2 comments
enkid 2134 days ago
They know specific commands and configurations for the "drobovur-server" which is the "Command and Control (C2) Server." This makes me think they have the actual server software and probably some sort of operational deployment.
link
FDSGSG 2134 days ago
That sounds reaaally unlikely. If the malware shipped a mysql client the NSA would definitely be able to pop the mysql server it connects to.
link
stevehawk 2134 days ago
the point wasnt whether or not they could or did. the point was that it could be inferred based on what sql client the malware client was using without ever touching the sever.
link
FDSGSG 2134 days ago
It is extraordinarily unlikely that the malware would ship with a mysql client or talk mysql with the C2

If it does, that's an easy claim to prove.

link
enkid 2134 days ago
Read the document. They have the server software. They have configuration files for the server, they know how it processes communication, they know how it generates UUID's. They have the server software.
link
dclusin 2134 days ago
Why RTFA when I can make baseless speculations? :D
link