Shulou(Shulou.com)06/01 Report--

In the last issue of "blackmail virus Globelmposter attack, are you ready for data backup", we introduced Globelmposter blackmail virus, which uses SMB and RDP protocol loopholes as a breakthrough to encrypt and tamper with user files, so as to achieve the purpose of blackmail, and its infection target is not limited to specific applications.

This time we will introduce another blackmail virus specifically aimed at the database-RushQL. Compared with Globelmposter,RushQL, which is specially designed for database, and has a certain incubation period and concealment, it does great harm.

The virus was first found to be bundled with an infected green / cracked version of the PS/SQL installer, and as soon as a user connects to the database using such cracked software, it immediately executes the code in "Afterconnet.sql" (this file is usually an empty file in the official PL/SQL software) and creates multiple stored procedures and triggers in the database.

RushQL infection will not immediately cause data damage, with a certain incubation period, it will first determine whether the database creation time is more than 1200 days (more ruthless, select the database that has been running for a long time). If it is more than 1200 days, a virus trigger will be triggered after restarting the database, encrypting and deleting sys.tab$, resulting in the user being unable to access all the database object collections (schema) in the database, prompting "your database has been locked by SQL RUSH Team. Please send 5 bitcoins to this address." Extortion information (some variants will require etheric coins, etc.), and set a scheduled task to delete all tables if the ransom is not paid within the time limit

RushQL contains multiple stored procedures and triggers. Select one of the PROCEDURE DBMS_SUPPORT_INTERNAL to see that the main operations are:

1. Create and back up the data of `sys.tab$ `table to table `ORACHK | | SUBSTR (SYS_GUID,10)`; 2. Delete the data in 'sys.tab$', provided that the creator ID of all tables is in the range of (0538) (for core tables); 3. Write 2046 blackmail messages in your alert log and trigger an exception alarm

As can be seen from the contents of stored procedures, it is more difficult to prevent than Globelmposter,RushQL. Its behavior is perfectly normal from a database point of view (update, truncate, etc.), so almost all the existing backup methods will fail. For example, Dataguard can protect against file infection, but will still synchronize the wrong data in the event of RushQL; regular backup can play a certain role in recovery, but there is no guarantee that the data is not lost.

If you are infected and have not met the conditions, the treatment is simple, just delete 4 stored procedures and 3 triggers, and no longer use virus cracking / green software:

Stored procedure DBMS_SUPPORT_INTERNAL stored procedure DBMS_STANDARD_FUN9 stored procedure DBMS_CORE_INTERNAL trigger DBMS_SUPPORT_INTERNAL trigger DBMS_SYSTEM_INTERNAL trigger DBMS_CORE_INTERNAL

If the virus is already in effect and the database is locked, you need to:

1. Delete 4 stored procedures and 3 triggers. Check the automation scripts of the relevant login tools and clean up risky scripts 3. Before using backup to restore tables to truncate, depending on the severity, you may need to use the DUL tool (it may not be possible to restore all tables, for example, truncate's space has been used)

As the truncate space is likely to be used again, there is a good chance that some of the data will not be recovered. However, if the QPlus-DP database backup cloud all-in-one machine has been deployed before, the recovery process is very simple. You can use the "second recovery" feature to create a historical database 1 second before the outbreak of the virus (or specify the SCN number) to retrieve the truncate table without data loss, as shown in the figure:

After a few minutes of waiting, use the newly created database environment, confirm the tables that need to be recovered, and then import back to the production repository.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.