2117966.net-- mass ASP/SQL injection

Diary

Share |

Published: 2008-03-14,
Last Updated: 2008-03-17 14:59:16 UTC
by Kevin Liston (Version: 5)

Situation:

Over 10,000 legitimate websites have been compromised and now have a javascript link that will direct visitors to a malicious website hosted on 2117966.net. The malicious website attempts to exploit the vulnerability described in MS06-014 MS07-004, MS06-067, MS06-057and a number of ActiveX vulnerabilities.

Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.

Recommended immediate action:

Block 2117966.net at your web proxy.

Recommended follow-up action:

Inspect your web proxy logs for visitors to 2117966.net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to 61.188.39.175
(Source: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313). Search your proxy logs for systems generating those requests and reimage the infected machines.

Protecting Browsers:

A properly-patched system should not be at-risk from this attack. It is recommended to use a browser that does not support ActiveX. Use of javascript controls such as NoScript are also effective.

Protecting Webservers:

The CSS Security Team as Microsoft has released details on how the code was injected into the servers. It's an automated script that exploits poor input-checking code in the ASP page.

http://blogs.technet.com/neilcar/archive/2008/03/14/anatomy-of-a-sql-injection-incident.aspx

http://blogs.technet.com/neilcar/archive/2008/03/15/anatomy-of-a-sql-injection-incident-part-2-meat.aspx

A more rigorous description and how to protect your ASP from SQL injection is available here:
http://weblogs.asp.net/scottgu/archive/2006/09/30/Tip_2F00_Trick_3A00_-Guard-Against-SQL-Injection-Attacks.aspx

Update: Added additional exploit information

Update: Clarify that shadowserver is not the endpoint of the malicious traffic-- they provided that malware analysis (thanks guys)

Update: this was misidentified as an iframe injection when in fact it was a javascript link on the altered ASP pages.

Update: MS fills in the blanks on how the code was injected.

Keywords:

2 comment(s)

Comments

I see that various security researchers are debating the possibility of attackers using the caching feature of websites search software to add IFrame code to the saved search results on the sites.

Anyone come across this ?

On the assumption that this is a possible attack vector, wouldn't an immediate response advice be to disable site search caching on your website search software pending further investigation ?

posted by Karl, Fri Mar 14 2008, 16:13

You might want to mention, parenthetically, that MS06-014 should _not_ be confused with MS08-014, which was just announced earlier this week. Some folks might mis-read the first paragraph and get spun up over nothing.

posted by Jim Duncan, Fri Mar 14 2008, 17:58

Handler's Diary: Oracle has an unscheduled security alert and patch for CVE-2010-0073. The ...