Press "Enter" to skip to content

Discovering MrbMiner

Randolph West gives us the low-down on some malware:

Tencent Security has released a report (written in Chinese) describing a new malware attack by the name of “MrbMiner” on SQL Server instances exposed to the Internet with passwords that can be brute-forced.

According to the report it installs an application written in C# by the name of assm.exe which communicates with a command-and-control server to download a digital coin mining tool, which may be disguised as various Windows system services. The malware uses several techniques to ensure that it sticks around.

Randolph has some more advice on how to determine if it is on one of your servers.

One quick thing I’d like to point out is that this is not a flaw within SQL Server; it only infects a machine which has a username and password it can guess.