« February 2008 · August 2008 · July 2010 »
|
|
| |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
- 26.06.2008: FIRST Conference - Vancouver, Canada
- 24.06.2008: FIRST Conference - Vancouver, Canada
- 04.06.2008: AbuseSec08 Conference - Karlsruhe, Germany
- 27.05.2008: When Adobe Flash Attacks
- 23.05.2008: AUS-CERT Conference - Gold Coast, Australia
- 14.05.2008: Full list of Injected Sites
- 13.05.2008: See below.
- 07.05.2008: New SQL Injection Attacks and New Malware: winzipices.cn
- 24.04.2008: Thousands of More Hacked Websites Targeting Your Passwords
- 20.04.2008: Entropy and Bot Counts
- 10.04.2008: DSL Reports under DDoS Attack Again
Tuesday, 13 May 2008
SQL Injection: The Game
Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.
Steven posted an excellent summary on malicious activity caused by a SQL injection that pointed uses at winzipices.cn in a blog post on 07.05.2008. In the article, he noticed several calls from test.htm to a website under the bsu.edu domain loading screenshots from World of Warcraft. At the time, it wasn't clear for this reason. Since his post, we've investigated further and have more details.
The URLs loaded were similar to this one:
hxxp://www.bsu.edu/web/nmmakridakis/images/lolret1.jpg
That seemed like a pretty unique string. To the search engine, Batman! What we find is that the string turns up on various World of Warcraft forums. There is one link that includes the images that Steven mentioned and then several where the host and domain names change (IE, not bsu.edu). This seems odd (almost as odd at the original post: Hello, I am the ret) and warrants further investigation.
The First Results
The search (site:forums.worldofwarcraft.com theretflash.swf -.edu -- this swf showed up in all the posts and was the sole link that didn't show up in test.htm) results in over 500 posts scattered across many different domain names. Interestingly, our friend winzipices.cn doesn't show up in the list, but several others do. Each of these (that was reachable at time of discovery) has the same malware as winzipices.cn and seems to behave in the same way. The missing link from the winzipices.cn event was/is theretflash.swf. On the bsu.edu site, this is some sort of a flash screencast that I couldn't bring myself to watch. However, the theretflash.swf as posted by our friends is quite different:
<frameset rows="444,0" cols="*"> <frame src="/test.htm" framborder="no" scrolling="auto" noresize marginwidth="0"margingheight="0"> <frame src="/pp.htm" frameborder="no" scrolling="no" noresize marginwidth="0"margingheight="0"> </frameset>
With this, we begin to understand the calls made in test.htm back to bsu.edu. What this tries to do is show you a random screenshot from the bsu.edu site while pp.htm (and its partner in crime pp.js) goes to town trying to compromise your computer. If successful, you'll end up with the same malware mentioned by Steven (a keylogger).
But Wait, There's More
While digging deeper into our Ret Pally (yes, I play WoW...WHAT?) and his duplicate friends, we find he's not alone. One of the domains that shows up in the results from the first search (computershello.cn) shows up in a thread that seems to be about some other in-game goings on. The original post: Huge Alliance Raid on Halaa(w/pics) seems to have been copied into over 150 other posts (site:forums.worldofwarcraft.com "Huge Alliance Raid on Halaa(w/pics)" jpg -imageshack). The image links have been rewritten to come from a different site, but again, the entire URL structure has been preserved. hxxp://img156.imageshack.us/my.php?image=wowscrnshot062407015505zh5.jpg becomes hxxp://computershello.cn/my.php?image=wowscrnshot015505zh5.jpg. But just like our .swf from before wasn't an actual Flash file, this .jpg isn't an image:
<frameset rows="444,0" cols="*"> <frame src="/test.htm" framborder="no" scrolling="auto" noresize marginwidth="0"margingheight="0"> <frame src="/pp.htm" frameborder="no" scrolling="no" noresize marginwidth="0"margingheight="0"> </frameset>
Look familiar? There's probably more of these out there, but what it seems like is that we have a group that has co-opted two forum posts and is reposting them with malicious links.
Adding Insult to Injury
When you look at the posts, keep in mind that the avatar indicates the character in World of Warcraft and its level. Level 70 is currently the highest attainable, and indicates that the character likely has a lot of in game items (loot) and money (gold). Every one of these posts is done using a compromised account. This means that not only has that account likely had its loot and gold swiped, the attacker impersonated the user to try and infect others!
The List
The full list of domains seen so far (some are dead, some are still live, be careful!):
computershello.cn
0539df.cn
766598.com
wrt518.cn
trt544.cn
111ct.cn
cdkdd.cn
er456.cn
san0539.cn
ipdnswow.cn
df88ed.cn
cs158cs.cn
jn538.cn
0539df.cn
008dfds.cn
jpg.worldofwarcraftvcr.com
Note the overlap with some of the SQL injected jscript that we've been seeing as of late and note the timestamps of some of these posts. I believe that this infrastructure has been in place for compromising World of Warcraft forums for some time, but once they found out about the ease of SQL injections (we know of at least two tools in the wild for performing mass injections of malicious jscript), they decided to add this method to their repertoire.
The Final Question
How much of this is automated? Does some piece of malware downloaded to the infected system post to the World of Warcraft forums? Is it simply a copy and paste template that's used once an account is compromised?
=>Posted May 13, 2008, at 10:23 AM by Mike Johnson
