In the last weeks and months, several campaigns targeted a lot of websites to inject them with a malicious javascript. Mainly through SQL injections. High profile websites, like for example CNET.com, were also a victim to these attacks. It seems that they are at it again. A lot of websites got infected with "1.js" including UK government sites, and a United Nations website, "events.un.org". It was only last December when the UN website also got hacked through an SQL injection.
Read full post here.This mass injection is remarkably similar to the attack we saw earlier this month. When a user browses to a compromised site, the injected JavaScript loads a file named 1.js which is hosted on http://www.nihao[removed].com The JavaScript code then redirects the user to 1.htm (also hosted on the same server). Once loaded, the file attempts 8 different exploits (the attack last April utilised 12). The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications. Ominously files named McAfee.htm and Yahoo.php are also called by 1.htm but are no longer active at the time of writing.
There are further similarities too between the two mass attacks. Resident on the latest malicious domain is a tool used in the execution of the attack. An analysis of that tool can be found in the ISC diary entry here. Mentioned in that diary entry is http://www.2117[removed].net. Our blog on that attack can be found here. It appears that same tool was used to orchestrate this attack too.
When we first started tracking the use of this domain, the malicious JavaScript was still making use of http://www.nmida[removed].com/:
Now the attackers are referring to a file hosted on the new domain of http://www.nihao[removed].com:
Sites of varying content have been infected including UK government sites, and a United Nations website as can be seen by the Google search results below.
The number of sites affected is in the hundreds of thousands (Source: Websense)
At the moment, Google shows some 177.000 websites infected. And please don't visit them with Javascript enabled. Use your Google Foo.
I was curious how many Belgian websites got infected. Ladies and gentlemen of the jury, it's 56!!!
My first instinct was to report this but my next thought was, to whom? I don't have time to track the webmasters down one by one. And Belgium doesn't have a CERT to contact. We do have the FCCU (Federal Computer Crime Unit) but that is partly a forensics team, not a nation wide CERT. *sigh*
I left them a message anyway. Let's hope it will do some good.
Sophos has some more information about the SQL injection technique used.
Read their full analysis.This morning, I was investigating another attack that is most likely related. The target of the malicious script tag has changed, but the underlying malicious SQL is very similar. The malicious injection can be seen below:
As you can see, the main guts of the malicious SQL (within
@S) are obfuscated within theCAST(0x…) block (which is trimmed for clarity). Decryption is trivial, enabling us to identify how the attack works.In brief, the SQL will concatenate a malicious script tag into all
(n)textand(n)varcharfields of all user tables in the MS SQL database. Nasty. Particularly for webmasters who have been hit, leaving them with a cumbersome cleanup process, and the challenge of preventing the same attack hitting them again.And the purpose of the attack? Feeding the
1.jsfile into our automation system, we see a whole mass of pages that will get loaded as a result of browsing a compromised page. This is represented in the flowchart below (click to enlarge):
- yellow blob: malicious
1.jsfile loaded from compromised pages- green arrows: page loads via an iframe (or similar)
- red arrows: exploit payload, in this case resulting in the download of some Win32 malware
Update (23/04/2008): I got a response from the FCCU and the BELNET CERT has taken over the case. Their priority is of course to their constituency (BELNET). But as only CERT in Belgium, they try to be a "last resort" point of contact as long as their resources will allow it. That's very nice to hear!!! I might have a meeting with them in the future to exchange some ideas.
In the meantime, the number of infected sites displayed has mounted up to 273.000 and the infected belgian sites up to 93.
Related articles:
Security4all Blog
Twitter
Slideshare
Facebook
Digg
Flickr
0 comments:
Post a Comment