Thousands of sites infected - archive

SQL injection attacks continue

(Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

SQL injection continues
- http://www.f-secure.com/weblog/archives/00001432.html
May 10, 2008 - "...The attacks have now started again, this time pointing to several different domains. During the last few days we've seen the same type of encoded SQL script as in the previous case being inserted into ASP/ASP.NET pages. The scripts point to the following domains:
yl18 .net
www .bluell .cn
www .kisswow .com .cn
www .ririwow .cn
winzipices .cn
All of the domains above are pointing to IP addresses in China. Just like last time the scripts try to use several exploits to infect the user's computer."

- http://blog.trendmicro.com/more-than-a-half-a-million-web-sites-compromised/
May 10, 2008 - "...some several thousands of Web sites try to recover from being hacked via SQL injection barely two days ago, in comes another massive attack on more than half a million Web sites. Advanced Threats Research Program Manager Ivan Macalintal found the malicious script JS_SMALL.QT injected into various Web sites believed to be either using poorly implemented phpBB, or are using older, exploitable versions of the said program... In true ZLOB fashion, this variant poses as a video codec installer... These types of Trojans are known for changing an affected system’s local DNS and Internet browser settings, thus making the system vulnerable for even more potential threats..."

:fear::mad::fear:
 
Last edited:
Mass File Injection Attack

FYI...

Mass File Injection Attack
- http://isc.sans.org/diary.html?storyid=4405
Last Updated: 2008-05-11 21:48:56 UTC - "We received a report... this afternoon about a couple of URLs containing a malicious JavaScript that pulls down a file associated with Zlob. If you do a google search for these two URLs, you get about 400,000 sites that have a call to this Javascript file included in them now. The major portion of the sites seem to be running phpBB forum software.
If you have a proxy server that logs outbound web traffic at your site, you might want to look for connection attempts to these two sites. Internal clients that have connected may need some cleanup work. Another preventive step would be to blacklist these two URLs.

hxxp ://free .hostpinoy .info /f.js
hxxp ://xprmn4u.info /f .js "

:fear::fear:
 
phpBB sites hacked - 500k

FYI...

- http://www.techworld.com/security/news/index.cfm?newsID=101475&pagtype=all
13 May 2008- "..."This is an on-going campaign, with new domains [hosting the malware] popping up even this morning," said Paul Ferguson, a network architect with anti-virus vendor Trend Micro. "The domains are changing constantly." According to Ferguson, over half a million legitimate websites have been hacked by today's mass-scale attack, only the latest in a string that goes back to at least January. All of the sites, he confirmed, are running "phpBB", an open-source message forum manager... Visitors to a hacked site are redirected through a series of servers, some clearly compromised themselves, until the last in the chain is reached. That server then pings the PC for any one of several vulnerabilities, including bugs in both Internet Explorer and the RealPlayer media player. If any of the vulnerabilities are present, the PC is exploited and malware is downloaded to it..."
* http://preview.tinyurl.com/6f2uro
Apr 07, 2008 - "phpBB 3.0.1 released... critical bugs fixed..."

:mad::fear:
 
SQL Injection Attacks Becoming More Intense

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

SQL Injection Attacks Becoming More Intense
- http://www.f-secure.com/weblog/archives/00001435.html
May 13, 2008 - "The mass SQL injection attacks... are increasing in number and we're seeing more domains being injected and used to host the attack files. We believe that there is now more than one group using a set of different automated tools to inject the code. Previously, these attacks have primarily pointed to IP addresses in China and we've seen the following domains being used in addition to the ones we've mentioned previously:
www .wowgm1 .cn
www .killwow1 .cn
www .wowyeye .cn
vb008 .cn
9i5t .cn
computershello .cn
We've now seen other domains being used as well such as direct84 .com which is inserted by an SQL injection tool (detected as HackTool:W32/Agent.B) distributed to the Asprox botnet. SecureWorks has a nice write-up available*. The direct84 .com domain fast-fluxes to several different IPs in Europe, Israel and North America. The injected link eventually leads to a backdoor detected as Backdoor:W32/Agent.DAS. This is a good time to again mention that it's not a vulnerability in Microsoft IIS or Microsoft SQL that is used to make this happen. If you are an administrator of a website that is using ASP/ASP.NET, you should make sure that you sanitize all inputs before you allow it to access the database. There are many articles on how to do this such as this one**. You could also have a look at URLScan*** which provides an easy way to filter this particular attack based on the length of the QueryString."

* http://www.secureworks.com/research/threats/danmecasprox/
May 13, 2008 - "...the SQL attack tool does not spread on its own, it relies on the Asprox botnet in order to propagate to new hosts..."

** http://msdn.microsoft.com/en-us/library/ms998271.aspx

*** http://www.microsoft.com/technet/security/tools/urlscan.mspx

Also see: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080513
May 13, 2008

:fear::fear:
 
Full list of Injected Sites...

(Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.)

Full list of Injected Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Posted May 14, 2008, at 07:42 AM - "Below is a list of domains used in the mass SQL injections that insert malicious javascript into websites. We've also included an approximate number of pages infected (according to Google). Note that these numbers decay with time. Some of these domains were injected long ago and have been cleaned. At their height, their numbers may have been larger.

www .nihaorr1 .com -468,000
free .hostpinoy .info -444,000
xprmn4u .info -369,000
www .nmidahena .com -140,000
winzipices .cn -75,000

www .aspder .com -62,000
www .11910 .net -47,000
bbs .jueduizuan .com -44,000
www .bluell .cn -44,000
www .2117966 .net -39,000

xvgaoke .cn -33,000
www .414151 .com -17,000
yl18 .net -15,000
www .kisswow .com .cn -13,000
c .uc8010 .com -9500

www .ririwow .cn -6000
www .killwow1 .cn -4000
www .wowgm1 .cn -3500
www .wowyeye .cn -2800
9i5t .cn -2500

computershello .cn -2300
b15 .3322 .org -1200
www .direct84 .com -1100
smeisp .cn -85
free .edivid .info -40
h28 .8800 .org -34

ucmal .com -30
usuc .us -13
www .wowgm2 .cn -8
www .adword72 .com -2

=> Posted May 14, 2008, at 07:42 AM.
 
Mass SQL Injection Attack Targets Chinese Web Sites

FYI...

Mass SQL Injection Attack Targets Chinese Web Sites
- http://preview.tinyurl.com/5tmj3q
May 19, 2008 3:00 AM PDT (PC World) - "Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites, according to a security company in Taiwan. First detected on May 13, the attack is coming from a server farm inside China, which has made no effort to hide its IP (Internet Protocol) addresses, said Wayne Huang, chief executive officer of Armorize Technologies, in Taipei. "The attack is ongoing,... even if they can't successfully insert malware, they're killing lots of Web sites right now, because they're just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim websites," Huang said... Technical details of the malware, including the specific browser vulnerabilities exploited, were not immediately available..."

:fear:
 
China/Taiwan SQL attacks...

More on the China/Taiwan SQL attacks...

- http://preview.tinyurl.com/56u2m7
May 19, 2008 (Computerworld) - "Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites... The attackers in the more recent outbreak aren't targeting a specific vulnerability. Instead, they are using an automated SQL injection attack engine that is tailored to attack Web sites using SQL Server, Huang said. The attack uses SQL injection to infect targeted Web sites with malware, which in turn exploits vulnerabilities in the browsers of those who visit the Web sites, he said, calling the attack "very well designed." The malware injected by the attack comes from 1,000 different servers and targets 10 vulnerabilities in Internet Explorer and related plug-ins that are popular in Asia, Huang said.

The vulnerabilities are MS06-014 (CVE-2006-0003), MS07-017 (CVE-2007-1765), RealPlayer IERPCtl.IERPCtl.1 (CVE-2007-5601), GLCHAT.GLChatCtrl.1 (CVE-2007-5722), MPS.StormPlayer.1 (CVE-2007-4816), QvodInsert.QvodCtrl.1, DPClient.Vod (CVE-2007-6144), BaiduBar.Tool.1 (CVE-2007-4105), VML Exploit (CVE-2006-4868) and PPStream (CVE-2007-4748)."
- http://nvd.nist.gov/nvd.cfm

- http://blog.trendmicro.com/chinese-weekend-compromise/
May 19, 2008

:fear::fear:
 
Last edited:
Follow-up:

- http://www.computerworld.com/comments/node/9086658#comment-92914
[China and Taiwan - SQL injection attacks]
Submitted by Anonymous tech on May 19, 2008 - 16:11.
" 'Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites...'

That appears to be incorrect - the SQL injection plants a java-scripted IFRAME which re-directs the victim's browser to an attacker's site that performs the exploits. Please check the facts. More than one source would confirm it.

Every other SQL injection attack to date has done that, using an Mpack-like exploit tool at the attackers' site - NOT the site that was the victim of the SQL injection."

:fear:
 
Chinese weekend SQL injection attacks

FYI... (apologies for the long post - needed for detail):

- http://blog.trendmicro.com/yet-more-weekend-compromises-reach-other-shores/
May 19, 2008 - "...This discovery comes on the tail of the mass compromise* of APAC sites (China, Taiwan, Hong Kong, and Singapore). Curious is how some of the malicious URLs in this new set of compromises are the same as in the first mass compromise. The four sites — humanitarian, government, and news — were injected with the malicious JavaScript..."

Chinese Weekend Compromise
* http://blog.trendmicro.com/chinese-weekend-compromise/
May 19, 2008 - "Just a week after half a million Web sites were compromised, here comes another mass Web threat... This time, Senior Threat Analyst Aries Hsieh, together with our research team in Taiwan, picked up on another script injection attack aimed at Web sites in the Chinese language... A visit to any compromised site would install and execute a malicious script on a system. This said script, which Trend Micro detects as JS_IFRAME.AC, may be downloaded from the remote site hxxp ://{BLOCKED} .us /s.js

JS_IFRAME.AC then downloads JS_IFRAME.AD, which exploits several vulnerabilities to further insert scripts in Web sites. TrendLabs Threats analyst Jonathan San Jose identifies the following exploit routines of JS_IFRAME.AD:
1. Exploits a vulnerability in Microsoft Data Access Components (MDAC) MS06-14, which allows for remote code execution on an affected system
2. Uses the import function IERPCtl.IERPCtl.1 or IERPPLUG.DLL to send the shell code to an installed RealPlayer
3. Checks for GLAVATAR.GLAvatarCtrl.1
4. Exploits a BaoFeng2 Storm and MPS.StormPlayer.1 ActiveX control buffer overflow
5. Takes advantage of an ActiveX control buffer overflow in Xunlei Thunder DapPlayer
Notice that the last two exploits are related to Chinese-language software, suggesting to our researchers that this malicious activity was targeted specifically to China, Taiwan, Singapore, and Hong Kong. These vulnerabilities trigger JS_IFRAME.AD to redirect users to one of the following URLs:
* hxxp ://{BLOCKED}and.cn/real11.htm - detected as JS_REALPLAY.AT
* hxxp ://{BLOCKED}and.cn/real.htm - detected as JS_REALPLAY.CE
* hxxp ://{BLOCKED}and.cn/lz.htm - detected as JS_DLOADER.AP
* hxxp ://{BLOCKED}and.cn/bfyy.htm - detected as JS_DLOADER.GXS
* hxxp ://{BLOCKED}and.cn/14.htm - detected as JS_DLOADER.UOW
JS_IFRAME.AD was found to download the following:
* VBS_PSYME.CSZ
* JS_VEEMYFULL.AA
* JS_LIANZONG.E
* JS_SENGLOT.D
These four malware, in turn, download and execute
hxxp ://{BLOCKED}c.52gol.com/xx.exe, which is detected as TROJ_DLOADER.KQK.
As of this writing, Google search results show some 327,000 pages that contain the malicious script tag..."

(Screenshots available at both TrendMicro URLs above.)

:fear::fear:
 
Shadowserver - mass SQL injection attack domain list

Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

- http://isc.sans.org/diary.html?storyid=4439
Last Updated: 2008-05-20 16:55:25 UTC ...(Version: 3) - "...Shadowserver has published a list of domains used in past -and- recent massive SQL injections* that insert malicious javascript into websites. The list is just focused on mass SQL injection attacks... plans to maintain this list as we come across new domains over time. The list also contains an estimated number of current number of infected Web sites based on Google stats. This is a great initiative and a very useful resource..."
* http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Full list of Injected Sites ...last modified date/time at bottom of page

:fear:
 
Last edited:
Full list of Injected Sites ...updated

FYI...

Full list of Injected Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Page last modified on June 01, 2008, at 09:04 PM
Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.
Below is a list of domains used in the mass SQL injections that insert malicious javascript into websites. We've also included an approximate number of pages infected (according to Google)...
Some of these have been re-injected by URL encoding the script names. So if a host/domain shows up in parentheses and also in the list unencoded, these were two separate injection runs..."

("Full list..." at the URL above.)

:fear::spider:
 
New sql injection site with fastflux hosting

FYI...

New sql injection site with fastflux hosting
- http://isc.sans.org/diary.html?storyid=4519
Last Updated: 2008-06-02 22:13:22 UTC - "One of our frequent contributors notified us of a new sql injection site.
hxxp ://en-us18 .com /b.js is being injected via sql into websites.
When I googled for it I saw 560 injected webpages. “b.js injects an iFrame which points to
hxxp ://en-us18 .com/cgi-bin/index.cgi?ad which in turn embeds two Flash files:

advert.swf: http://www.virustotal.com/analisis/d6ffe290e9938d3e646f82c536abd0c7
banner.swf: http://www.virustotal.com/analisis/83be3d4d30eb60d92272625634a3babc

This appears to be fast fluxed or at least setup to change rapidly based on this dig output... A second dig a few minutes later produced similar but slightly different results. So this domain is changing. I guess they got tired of people blackholing their ip address. So in that case I would recommend you dns blackhole that domain."

:fear::fear:
 
FYI...

- http://preview.tinyurl.com/64qke6
June 17, 2008 (trustedsource.org/blog) - "MTV France has become another victim of the “Latest Wave of SQL Injection Attacks“. The web site and the RSS feed are heavily infected with several malicious scripts as seen in the screenshot... Each of the malicious domains are serving a script called ‘b.js’ which is related to the “Danmec” malware family (a.k.a. “Asprox”). These domains are hosted on a “fast-flux” network of compromised computers which could also relay spam messages... The biggest concern with the infected RSS feed is that every RSS reader or web site, including the content from MTV France, will host the malicious scripts on their web sites. In a quick test with a WordPress 2.1.3 installation, the full content (including the script) was included in the blog and not filtered out. This is one example of the threat posed by Web 2.0 content mash-ups, where someone is including generated content via feeds into his web site and thereby just spreading the malicious code further."

(Screenshots available at the URL above.)

:fear::sad::fear:
 
New wave of SQL-injection attacks

FYI...

- http://www.theregister.co.uk/2008/06/26/microsoft_hp_sql_injection_tools/
26 June 2008 - "...ScanSafe, a company that monitors websites for malicious behavior, reports* a new wave of SQL-injection attacks that harnesses infected PCs to search out and attack vulnerable websites. Sites that are compromised, in turn, install backdoors on visitors' machines, creating a worm-like characteristic. The so-called Asprox attacks are distinct from a recent swarm of SQL attacks that over the past few months... The entry of Asprox suggests other malware gangs may be adopting the technique after seeing the success of their competitors..."
* http://preview.tinyurl.com/5cyo99
June 26, 2008 (ScanSafe STAT blog) - "The Asprox botnet began pumping out a fresh round of SQL injection attacks yesterday... The Asprox botnet causes infected computers (bots) to become the attack mechanism. Some of the bots are instructed to upload the SQL injection attack tool, which then queries search engines to find susceptible sites and attempts to exploit any found. Successful exploit results in compromised websites that silently attempt to infect visitors' computers. Other bots are used as hosts for the malware; these hosts appear to be using the Neosploit framework. Asprox uses fast flux, thus a single malware domain called by the compromised site may resolve to one of a number of IP addresses (i.e. one domain name may resolve to any one of a number of attacker-controlled victim computers commandeered to act as malware hosts)... a large number of the trafficked compromised sites appear to be from the manufacturing sector, particularly among companies involved in the manufacture or distribution of heating and cooling systems... the malware dropped in the June SQL injection attacks has shifted to backdoors and proxy Trojans - infections which add to the overall size of the Asprox botnet. The June attacks also appear to have some roots in the Ukraine and Malaysia, rather than China..."

:fear::spider::fear:
 
More SQL Injection with Fast Flux hosting

FYI...

More SQL Injection with Fast Flux hosting
- http://isc.sans.org/diary.html?storyid=4645
Last Updated: 2008-07-01 04:46:52 UTC ...(Version: 5) - "...More fast flux domains redirecting to other domains which then redirect to the malware site. What's interesting about this one is it doesn't look like they are using exploits to install the malware, they are redirecting to a fake AV site which fools users into installing the malware. Some of the domains hosting the injected js are as follows:
hxxp :// updatead .com
hxxp :// upgradead .com
hxxp :// clsiduser.com
hxxp :// dbdomaine.com
b.js then redirects to several domains which host a cgi script
hxxp :// kadport .com /cgi-bin/indes.cgi?ad
hxxp :// hdadwcd .com /cgi-bin/index.cgi?ad
Which then redirects to ad.js which redirects the user to
hxxp :// spyware-quick-scan .com?wmid=1041&I=14&it=1&s=4t
This site attempts to trick the user into installing installer.exe
AV coverage is decent:
http://www.virustotal.com/analisis/92b4fc4e4d3551ef4945cbff173e67d8
...This post has a nice running list of domains: http://infosec20.blogspot.com/2008/06/asprox-sql-injection-botnet-and-iframe.html
The cause seems to be the ASPROX bot kit, which got some SQL injection capabilities in mid-May, see http://www.heise-online.co.uk/secur...quipped-with-SQL-injection-tool--/news/110742 .
Dr. Ulrich's post http://isc.sans.org/diary.html?storyid=4565 lays out very nicely how it all happens... The folks at ShadowServer are keeping a comprehensive and updated list at:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Page last modified on July 01, 2008, at 10:16 AM ..."

:fear::spider:
 
Last edited:
Sony PlayStation website hacked

FYI...

Sony PlayStation website hacked
- http://www.theregister.co.uk/2008/07/03/playstation_hack/
3 July 2008 - "Gamers visiting the US Sony PlayStation website risk malware infection after the site was hit by hackers. SQL injection vulnerabilities on the site were used by miscreants to load malicious code on pages showcasing the PlayStation games SingStar Pop and God of War, net security firm Sophos reports*. The code promotes scareware to visitors, which falsely claims that their computers are infected with computer viruses to frighten them into purchasing software of little or no security utility... Sophos informed Sony of the website vulnerabilities, which were purged by Thursday morning. The attack is the latest in a wave of SQL injection attacks that have turned the websites of legitimate organisations into conduits for drive-by download assaults. Recent victims have included the website of tennis regulators ITF and ATP, the professional players tour and Wal-Mart. Large-scale SQL Injection attacks starting around October 2007 have hit a large number of small sites as well as high-profile targets..."
* http://www.sophos.com/security/blog/2008/07/1540.html

:fear::spider::mad:
 
SQL injections, redirects, d-b-d, and client-side attacks...

FYI...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080705
5 July 2008 - "...People are saying they were compromised by SQL Injection, but when I dig a little deeper I find that what actually happened was some user went to somegoodsite.com and ended up compromised. If you're one of those people, this blog's for you...
Understanding the Danmec/Asprox Attacks...
Basically, the attacker launches an SQL injection attack against somegoodsite.com. SQL injection attacks try to exploit trust relationships between web applications and the databases that support them in order to add, remove or modify data in databases in ways it was never intended. In the case of the Danmec/Asprox attacks, the intent of the SQL injection is to add a single line of HTML code to the database so that somegoodsite.com will present it to every user who visits the site.
The initial code has been an HTML "script" command, which is used to define a segment of code for your browser to run. The difference in the Asprox/Danmec attacks though, is that the code segment to run is malicious javascript hosted at evilsite.net. This is called a drive-by download.
Innocent user wasn't targeted directly by the attacker's SQL injection. Instead, innocent user was harmlessly surfing the web during his 1 hour lunch break and got something more than he bargained for from somegoodsite.com. Evilsite.net then looks at the information presented by innocent user's system and determines that evilsite2.net is hosting an exploit that should be effective. Evilsite.net then issues an IFRAME redirect command telling innocent user's browser to contact evilsite2.net (all without any interaction from innocent user). Finally, evilsite2.net provides a working exploit which compromises innocent user's machine. These compromises can be in the form of keyloggers, botnets, backdoors, or any other nasiness an attacker can drum up. Since this exploit is reliant on innocent user's web client downloading and executing the malicious code on its own, we call this a client-side attack.
So the moral of the story is that somegoodsite.com got compromised by SQL injection. Your users got compromised by redirects, drive-by-downloads and client-side attacks."

(Graphic available at the Shadowserver URL above.)

:fear:
 
You must log in or register to reply here.
Back
Top