Thousands of sites infected - archive

[AplusWebMaster]

FYI..

Governmental, Healthcare, and Top Business Websites have fallen victims to the new round of Asprox mass attack
- http://www.finjan.com/MCRCblog.aspx?EntryId=2002
Jul 16, 2008 - "... The attack toolkits is designed to first search Google for webpages with the file extension [.asp] and then launch SQL injection attacks to append a reference to the malware file using the SCRIPT tag. During the first two weeks of July 2008, Finjan... detected over 1,000 unique Website domains that were compromised by this attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, we believe this is just the tip of the iceberg for the scope and impact of this attack. Among the compromised websites we found were those of respectable organizations, governmental institutes, healthcare organizations as well as high-ranked websites... Each of the 160 different domains hosting [b.js] and [ngg.js] [fgg.js] points to the location of the malicious file which was unique to each and every one of them.
The pointed iframe loads an obfuscated JavaScript code which then downloads and executes the malware on the victim machine automatically. The exploit provided by writers of the new version of NeoSploit toolkit, which uses a refreshing code for the obfuscation (using the location of the page as part of the obfuscation function)... The malicious code of the above script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation:
* MDAC Vulnerability
* QuickTime rtsp Vulnerability
* AOL SuperBuddy ActiveX Control Code Execution Vulnerability
Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine..."

(Screenshots available at the URL above.)

Also see:
- http://www.shadowserver.org/wiki/pmw...endar.20080705

[AplusWebMaster]

FYI...

SQL Injection List - Format Update
- http://www.shadowserver.org/wiki/pmw...endar.20080718
18 July 2008 - "Due to popular demand, the SQL Injection list maintained at http://www.shadowserver.org/wiki/pmw...endar.20080514 can be fetched in text form at http://www.shadowserver.org/wiki/upl...l-inj-list.txt
Unfortunately this means the original web page will change somewhat, and I apologize for this. However, this will be better in the long run."

//

[AplusWebMaster]

FYI...

- http://isc.sans.org/diary.html?storyid=4771
Last Updated: 2008-07-24 07:47:29 UTC - "...it appears that the attackers expanded their target list of applications so they try to attack Cold Fusion applications now as well (previously they tried to attack ASP scripts only). If you are running Cold Fusion applications, this should be a wake-up call for you – make sure that you are not vulnerable to SQL injection. If I remember correctly, Cold Fusion does have some built-in protection against SQL injection attacks but there are clearly cases when that does not work (otherwise the attackers would not be attacking it)... It's actually a very common way that is used by hackers when they are exploiting blind SQL injection attacks. The idea is to create a condition that, if satisfied, will delay the execution of the script for a certain time period. So, the attacker watches the response time and if it was delayed, he knows that the SQL command was executed successfully. Here we're not talking about the blind SQL injection, but just a way to check if the script is vulnerable to SQL injection in general. So, the bot issues this command and checks the response time: if the reply came immediately (or in couple of seconds, depending on the site/link speed) the site is not vulnerable. If the reply took 20 seconds then the site is vulnerable. This gives them an easy way to detect vulnerable sites and (probably) create a list of such sites that they might attack directly in the future. And the site owner will not notice anything (unless he/she is checking the logs)..."

[AplusWebMaster]

FYI...

SQL Injection Attacks Targeting Chinese-oriented Sites
- http://www.f-secure.com/weblog/archives/00001482.html
August 8, 2008 - "...in conjunction with the Beijing 2008 Olympics Games, and with ‘China’ being one of the more popular search engine keywords at the moment, it makes sense for malware writers to focus their attention on the Chinese web – and we’ve been seeing some interesting examples of SQL injection attacks specifically targeting website designed for a Chinese audience, whether from the mainland or overseas. Like most SQL injection attacks, these attacks begin with a compromising script being injected into a legitimate site, compromising it and redirecting its users to a malicious website. This website then takes advantage of the vulnerabilities available on the user’s computer to download and execute malicious programs... a specially crafted Flash file exploiting Adobe Flash Player Integer overflow (CVE-2007-0071) is also served. When the webpage is loaded, it forcefully floods the user’s computer memory beyond its capacity, then takes advantage of the computer’s attempts to correct the problem to execute its own hidden code. If the user hasn’t updated their Flash Player* to newer versions than those targeted, their computer is vulnerable..."

* http://www.adobe.com/go/getflashplayer
Current Adobe Flash Player version 9.0.124.0

[AplusWebMaster]

FYI...

More SQL Injections ...active NOW
- http://isc.sans.org/diary.html?storyid=4844
Last Updated: 2008-08-08 16:40:52 UTC - "... Various types of sites seem to be hit at the moment. From the reports we've had it is not specific to asp, cfm, php, but we don't have a lot of information on this just yet.
Next:
A user visiting the site will hit w.js which, if they are using english, will pull down new.htm. new.htm reports to a stats site and has a number of iframes that grab the next set of htm pages, flash.htm, 06014.htm, yahoo.htm, office.htm and ksx.htm. Flash.htm checks to see if you are using IE or FF and selects either i1.html or f2.html ... These file contains some java script... So depending on the flash version running and browser a different file is tried (the IE version uses i64, etc). Detection for these is poor. The IE versions 9/36 at VT (Virustotal) detect the file as malicious and for FF 10/36 detect the file as being malicious.
yahoo.htm
The yahoo.htm file executes a vbscript to download rondll32.exe and saves it as msyahoo.exe after which it attempts to execute...
Office.htm
Attempts to create activeX objects and pulls the same rondll32.exe. It looks like rondll32.exe pulls down thunder.exe and wsv.exe
ksx.htm
Attempts get the browser to include the rondll32.exe file. Detection for rondll32.exe is good with most AV products catching this one.
06014.htm
was unavailable at the time I checked.

These attacks are happening right now. The people that reported them identified the attacks in their log files and IDS systems. It is good to see that people are checking their logs. Currently about 4000 sites are infected, but mostly with the older version of w.js and a different go-to site. This round looks like it has just started. We'll keep an eye on how this develops."

[AplusWebMaster]

FYI...

Sunkist site - mass JavaScript injection
- http://securitylabs.websense.com/con...erts/3167.aspx
08.22.2008 - "Websense... has discovered that a Sunkist site is infected with a mass JavaScript injection that delivers a malicious payload. The reporting page on the Sunkist NewsLINK site contains malicious JavaScript code that loads malicious payloads from -nine- different hosts. Sunkist is a popular drink in the USA, Canada, UK, Australia, and other parts of the world..."

(Screenshot of the infected site available at the URL above.)

[AplusWebMaster]

FYI...

- http://www.darkreading.com/document....515&print=true
AUGUST 27, 2008 - "...Attackers have begun hiding the malicious code by encoding so they can keep using these old-school attacks... ScanSafe today reported* an 87 percent jump in malware blocked by its Web security service in July compared with June, 75 percent of which came from the wave of SQL injection attacks hitting Websites the past few months. ScanSafe detected 34 percent more malware last month than it did in all of 2007, according to the report..."
* http://www.scansafe.com/__data/asset...08_GTR_rev.pdf
"...ScanSafe reported a 278% increase for the first six months of the year. That alarming trend continued in July with the number of Web-based malware blocks increasing another 87% over the previous month. The majority of the increase in Web-based malware resulted from ongoing web-site compromises which represented 83% of all malware blocks for the month. 75% of all malware blocks were the result of SQL injection attacks, the majority of which were related to the Asprox fast flux botnet. The Asprox botnet is believed to have origins in Russia and has commercial interests ranging from spam and clickfraud to rogue anti-spyware software and backdoor Trojans. July 2008 also bore witness to an increase in social engineering email scams designed to install malware on victims computers. 95% of ScanSafe customers fell for the scams and attempted to clickthrough to the malicious site, which represented 1.3% of all malware blocks for the month..."

[AplusWebMaster]

FYI...

SQL injection ...BusinessWeek.com
- http://www.sophos.com/pressoffice/ne...inessweek.html
15 September 2008 - "Hundreds of webpages in a section of BusinessWeek’s website which offers information about where MBA students might find future employers have been affected. According to Sophos, hackers used an SQL injection attack - where a vulnerability is exploited in order to insert malicious code into the site's underlying database - to pepper pages with code that tries to download malware from a Russian web server..."

(Video available at the URL above.)

[AplusWebMaster]

FYI...

SQL threat: All Your (Data)base Are Belong to Trojan.Eskiuel...
- http://preview.tinyurl.com/45qhsy
09-17-2008 (Symantec Security Response Blog) - "...Our honeypot servers are full of plenty of worms that spread by email, IM, file-sharing, or network vulnerabilities, so finding a Trojan that targets SQL databases is always an unusual surprise for a virus researcher... new SQL threat: Trojan.Eskiuel*. The main functionality of this threat is to scan the Internet to find machines with poorly configured SQL servers (i.e. with weak or non-existing passwords), gain access to them, and use their stored procedures in order to download new malware from a remote host. The anatomy of the attack is pretty simple. When run, the threat will read the IP address passed as an input parameter in the command line, and will start scanning all of the class B subnet of that IP address, looking for an SQL server... Once an SQL server is located, the Trojan will run a bruteforce attack on some common weak passwords for the administrator "sa" account. Note that the threat does not try to exploit any vulnerability, it is only trying to take advantage of SQL servers that may not be properly configured. When a weak password is found, the Trojan will log into the SQL server with full administrator rights... Machines with a badly configured SQL server are exposed to this threat, which can attack the servers both locally or remotely. Standard good security practices are advised to tackle this risk: set a strong password for the SQL server administrator account, block access to the server from unrequired networks, and properly configure access rights for the stored procedures."
* http://www.symantec.com/business/sec...091215-0809-99

(Screenshots and more detail available at both URL links above.)

[AplusWebMaster]

FYI...

ASPROX mutant
- http://isc.sans.org/diary.html?storyid=5092
Last Updated: 2008-09-29 10:22:25 UTC - "...ongoing SQL injections... The injection itself (starting with DECLARE...) looks a lot like the technique used by ASPROX (see our earlier diary*), but that the injection attempt here is made not via the URL but rather via a cookie is a new twist... in the end delivers a file called "x.exe" that looks like yet another password stealer, but has poor detection at this time (Virustotal**)..."
* http://isc.sans.org/diary.html?storyid=4565

** http://www.virustotal.com/en/analisi...1d7ae62c126fff