Thousands of sites infected - archive

[AplusWebMaster]

(Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

SQL injection continues
- http://www.f-secure.com/weblog/archives/00001432.html
May 10, 2008 - "...The attacks have now started again, this time pointing to several different domains. During the last few days we've seen the same type of encoded SQL script as in the previous case being inserted into ASP/ASP.NET pages. The scripts point to the following domains:
yl18 .net
www .bluell .cn
www .kisswow .com .cn
www .ririwow .cn
winzipices .cn
All of the domains above are pointing to IP addresses in China. Just like last time the scripts try to use several exploits to infect the user's computer."

- http://blog.trendmicro.com/more-than...s-compromised/
May 10, 2008 - "...some several thousands of Web sites try to recover from being hacked via SQL injection barely two days ago, in comes another massive attack on more than half a million Web sites. Advanced Threats Research Program Manager Ivan Macalintal found the malicious script JS_SMALL.QT injected into various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program... In true ZLOB fashion, this variant poses as a video codec installer... These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats..."

[AplusWebMaster]

FYI...

Mass File Injection Attack
- http://isc.sans.org/diary.html?storyid=4405
Last Updated: 2008-05-11 21:48:56 UTC - "We received a report... this afternoon about a couple of URLs containing a malicious JavaScript that pulls down a file associated with Zlob. If you do a google search for these two URLs, you get about 400,000 sites that have a call to this Javascript file included in them now. The major portion of the sites seem to be running phpBB forum software.
If you have a proxy server that logs outbound web traffic at your site, you might want to look for connection attempts to these two sites. Internal clients that have connected may need some cleanup work. Another preventive step would be to blacklist these two URLs.

hxxp ://free .hostpinoy .info /f.js
hxxp ://xprmn4u.info /f .js "

[AplusWebMaster]

FYI...

- http://www.techworld.com/security/ne...75&pagtype=all
13 May 2008- "..."This is an on-going campaign, with new domains [hosting the malware] popping up even this morning," said Paul Ferguson, a network architect with anti-virus vendor Trend Micro. "The domains are changing constantly." According to Ferguson, over half a million legitimate websites have been hacked by today's mass-scale attack, only the latest in a string that goes back to at least January. All of the sites, he confirmed, are running "phpBB", an open-source message forum manager... Visitors to a hacked site are redirected through a series of servers, some clearly compromised themselves, until the last in the chain is reached. That server then pings the PC for any one of several vulnerabilities, including bugs in both Internet Explorer and the RealPlayer media player. If any of the vulnerabilities are present, the PC is exploited and malware is downloaded to it..."
* http://preview.tinyurl.com/6f2uro
Apr 07, 2008 - "phpBB 3.0.1 released... critical bugs fixed..."

[AplusWebMaster]

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

SQL Injection Attacks Becoming More Intense
- http://www.f-secure.com/weblog/archives/00001435.html
May 13, 2008 - "The mass SQL injection attacks... are increasing in number and we're seeing more domains being injected and used to host the attack files. We believe that there is now more than one group using a set of different automated tools to inject the code. Previously, these attacks have primarily pointed to IP addresses in China and we've seen the following domains being used in addition to the ones we've mentioned previously:
www .wowgm1 .cn
www .killwow1 .cn
www .wowyeye .cn
vb008 .cn
9i5t .cn
computershello .cn
We've now seen other domains being used as well such as direct84 .com which is inserted by an SQL injection tool (detected as HackTool:W32/Agent.B) distributed to the Asprox botnet. SecureWorks has a nice write-up available*. The direct84 .com domain fast-fluxes to several different IPs in Europe, Israel and North America. The injected link eventually leads to a backdoor detected as Backdoor:W32/Agent.DAS. This is a good time to again mention that it's not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database. There are many articles on how to do this such as this one**. You could also have a look at URLScan*** which provides an easy way to filter this particular attack based on the length of the QueryString."

* http://www.secureworks.com/research/.../danmecasprox/
May 13, 2008 - "...the SQL attack tool does not spread on its own, it relies on the Asprox botnet in order to propagate to new hosts..."

** http://msdn.microsoft.com/en-us/library/ms998271.aspx

*** http://www.microsoft.com/technet/sec...s/urlscan.mspx

Also see: http://www.shadowserver.org/wiki/pmw...endar.20080513
May 13, 2008

[AplusWebMaster]

(Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

Full list of Injected Sites
- http://www.shadowserver.org/wiki/pmw...endar.20080514
Posted May 14, 2008, at 07:42 AM - "Below is a list of domains used in the mass SQL injections that insert malicious javascript into websites. We've also included an approximate number of pages infected (according to Google). Note that these numbers decay with time. Some of these domains were injected long ago and have been cleaned. At their height, their numbers may have been larger.

www .nihaorr1 .com -468,000
free .hostpinoy .info -444,000
xprmn4u .info -369,000
www .nmidahena .com -140,000
winzipices .cn -75,000

www .aspder .com -62,000
www .11910 .net -47,000
bbs .jueduizuan .com -44,000
www .bluell .cn -44,000
www .2117966 .net -39,000

xvgaoke .cn -33,000
www .414151 .com -17,000
yl18 .net -15,000
www .kisswow .com .cn -13,000
c .uc8010 .com -9500

www .ririwow .cn -6000
www .killwow1 .cn -4000
www .wowgm1 .cn -3500
www .wowyeye .cn -2800
9i5t .cn -2500

computershello .cn -2300
b15 .3322 .org -1200
www .direct84 .com -1100
smeisp .cn -85
free .edivid .info -40
h28 .8800 .org -34

ucmal .com -30
usuc .us -13
www .wowgm2 .cn -8
www .adword72 .com -2

=> Posted May 14, 2008, at 07:42 AM.

[AplusWebMaster]

FYI...

Mass SQL Injection Attack Targets Chinese Web Sites
- http://preview.tinyurl.com/5tmj3q
May 19, 2008 3:00 AM PDT (PC World) - "Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites, according to a security company in Taiwan. First detected on May 13, the attack is coming from a server farm inside China, which has made no effort to hide its IP (Internet Protocol) addresses, said Wayne Huang, chief executive officer of Armorize Technologies, in Taipei. "The attack is ongoing,... even if they can't successfully insert malware, they're killing lots of Web sites right now, because they're just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim websites," Huang said... Technical details of the malware, including the specific browser vulnerabilities exploited, were not immediately available..."

[AplusWebMaster]

More on the China/Taiwan SQL attacks...

- http://preview.tinyurl.com/56u2m7
May 19, 2008 (Computerworld) - "Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites... The attackers in the more recent outbreak aren't targeting a specific vulnerability. Instead, they are using an automated SQL injection attack engine that is tailored to attack Web sites using SQL Server, Huang said. The attack uses SQL injection to infect targeted Web sites with malware, which in turn exploits vulnerabilities in the browsers of those who visit the Web sites, he said, calling the attack "very well designed." The malware injected by the attack comes from 1,000 different servers and targets 10 vulnerabilities in Internet Explorer and related plug-ins that are popular in Asia, Huang said.

The vulnerabilities are MS06-014 (CVE-2006-0003), MS07-017 (CVE-2007-1765), RealPlayer IERPCtl.IERPCtl.1 (CVE-2007-5601), GLCHAT.GLChatCtrl.1 (CVE-2007-5722), MPS.StormPlayer.1 (CVE-2007-4816), QvodInsert.QvodCtrl.1, DPClient.Vod (CVE-2007-6144), BaiduBar.Tool.1 (CVE-2007-4105), VML Exploit (CVE-2006-4868) and PPStream (CVE-2007-4748)."
- http://nvd.nist.gov/nvd.cfm

- http://blog.trendmicro.com/chinese-weekend-compromise/
May 19, 2008

[AplusWebMaster]

Follow-up:

- http://www.computerworld.com/comment...#comment-92914
[China and Taiwan - SQL injection attacks]
Submitted by Anonymous tech on May 19, 2008 - 16:11.
" 'Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites...'

That appears to be incorrect - the SQL injection plants a java-scripted IFRAME which re-directs the victim's browser to an attacker's site that performs the exploits. Please check the facts. More than one source would confirm it.

Every other SQL injection attack to date has done that, using an Mpack-like exploit tool at the attackers' site - NOT the site that was the victim of the SQL injection."

[AplusWebMaster]

FYI... (apologies for the long post - needed for detail):

- http://blog.trendmicro.com/yet-more-...-other-shores/
May 19, 2008 - "...This discovery comes on the tail of the mass compromise* of APAC sites (China, Taiwan, Hong Kong, and Singapore). Curious is how some of the malicious URLs in this new set of compromises are the same as in the first mass compromise. The four sites — humanitarian, government, and news — were injected with the malicious JavaScript..."

Chinese Weekend Compromise
* http://blog.trendmicro.com/chinese-weekend-compromise/
May 19, 2008 - "Just a week after half a million Web sites were compromised, here comes another mass Web threat... This time, Senior Threat Analyst Aries Hsieh, together with our research team in Taiwan, picked up on another script injection attack aimed at Web sites in the Chinese language... A visit to any compromised site would install and execute a malicious script on a system. This said script, which Trend Micro detects as JS_IFRAME.AC, may be downloaded from the remote site hxxp ://{BLOCKED} .us /s.js

JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in Web sites. TrendLabs Threats analyst Jonathan San Jose identifies the following exploit routines of JS_IFRAME.AD:
1. Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
2. Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
3. Checks for GLAVATAR.GLAvatarCtrl.1
4. Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow
5. Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer
Notice that the last two exploits are related to Chinese-language software, suggesting to our researchers that this malicious activity was targeted specifically to China, Taiwan, Singapore, and Hong Kong. These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:
* hxxp ://{BLOCKED}and.cn/real11.htm - detected as JS_REALPLAY.AT
* hxxp ://{BLOCKED}and.cn/real.htm - detected as JS_REALPLAY.CE
* hxxp ://{BLOCKED}and.cn/lz.htm - detected as JS_DLOADER.AP
* hxxp ://{BLOCKED}and.cn/bfyy.htm - detected as JS_DLOADER.GXS
* hxxp ://{BLOCKED}and.cn/14.htm - detected as JS_DLOADER.UOW
JS_IFRAME.AD was found to download the following:
* VBS_PSYME.CSZ
* JS_VEEMYFULL.AA
* JS_LIANZONG.E
* JS_SENGLOT.D
These four malware, in turn, download and execute
hxxp ://{BLOCKED}c.52gol.com/xx.exe, which is detected as TROJ_DLOADER.KQK.
As of this writing, Google search results show some 327,000 pages that contain the malicious script tag..."

(Screenshots available at both TrendMicro URLs above.)

[AplusWebMaster]

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

- http://isc.sans.org/diary.html?storyid=4439
Last Updated: 2008-05-20 16:55:25 UTC ...(Version: 3) - "...Shadowserver has published a list of domains used in past -and- recent massive SQL injections* that insert malicious javascript into websites. The list is just focused on mass SQL injection attacks... plans to maintain this list as we come across new domains over time. The list also contains an estimated number of current number of infected Web sites based on Google stats. This is a great initiative and a very useful resource..."
* http://www.shadowserver.org/wiki/pmw...endar.20080514
Full list of Injected Sites ...last modified date/time at bottom of page