By later on Monday, Oracle--which owns MySQL--had apparently disabled the attack.
[Are your Web-connected photocopiers, scanners, and VoIP servers compromising your enterprise security? Learn more at Corporate Espionage's New Friend: Embedded Web Servers.]
Black Hole uses the Java Open Business Engine (OBE) toolkit to exploit PCs and load malicious payloads. Unfortunately, these payloads can be difficult to detect. According to security firm Websense, the crimeware's "exploits are encrypted with custom algorithms, which makes this pack difficult to analyze by [antivirus] and generic deobfuscation tools and services."
Indeed, when Armorize issued its warning about the attacks on Monday, only four out of 44 antivirus engines listed on Virus Total were detecting the drive-by attack at MySQL.com. By Tuesday, however, the number of antivirus engines that detected the attack had increased to 17.
Black Hole exploits PCs using known vulnerabilities--providing they haven't been patched--including a flaw in Windows Hardware Counter Profiling, Adobe Reader bugs, as well as numerous Java flaws. That makes the attack against MySQL.com somewhat ironic, given that Oracle owns not only MySQL, but also Java.
Interestingly, beyond Black Hole rental costs, this attack against MySQL.com--visited by an average of 40,000 people per day--may have cost just a few thousand dollars. "Late last week, I was lurking on a fairly exclusive Russian hacker forum and stumbled upon a member selling root access to mysql.com," according to security reporter Brian Krebs. "He offered to sell remote access to the first person who paid him at least USD $3,000, via the site's escrow service, which guarantees that both parties are satisfied with the transaction before releasing the funds."
This is the second time this year that the MySQL.com website has been exploited. In March, the site was compromised via a SQL injection attack, resulting in the compromise of a number of usernames and weak passwords.