Another SQL injection domain: mo98g.cn

I mentioned some days ago that there seems to be a parallel SQL injection attack to Asprox with all the hallmarks of being Chinese. Over the past day or so, mo98g.cn has appeared on some infected sites (often alongside Asprox) making a call to mo98g.cn/q.js which is hosted on 222.122.128.5 in South Korea.

The back end seems not to be working at present, so maybe the server has been cleaned up. In any case, this is another domain to block or check your logs for.

Asprox: ujnc.ru

Just a single new Asprox domain to list this morning: ujnc.ru which is still using the js.js redirector, i.e. www.ujnc.ru/js.js. All the domains from the past two days are still active too.

Asprox: 3njx.ru, cb3f.ru, cnld.ru, nbh3.ru and okcd.ru

Some more Asprox domains to block or look for in your logs:

• 3njx.ru
• cb3f.ru
• cnld.ru
• nbh3.ru
• okcd.ru

Renewed Asprox activity: bcus2.ru, jkn3.ru, juc8.ru and locm.ru

After a quiet few days, Asprox seems to have flared up again (at about 1000 CET) with a new set of malware domains, still launching from a SQL injected js.js file on compromised hosts. Keep an eye out for these domains or block them.

These domains are all very recently registered through naunet.ru, there are probably many more on the way soon.

• bcus2.ru
• jkn3.ru
• juc8.ru
• locm.ru

"Hey, take a look!!" / "Yahoo Daily News"

Looks like another variant of the Storm Worm /Zapchast doing the rounds:

Subject: Hey, take a look!!
From: "Yahoo Daily News"

Hello friend !
You have just received a yahoo messenger ultimate version !!


Click Download Now to begin downloading and installing Yahoo Messenger ultimate version 10 ver 10.1



1. Download Now Click Download Now to begin downloading and installing Yahoo! Messenger ultimate version 10.
ver. 10.1
2. When prompted, please click the Run button in each window that appears.

Other versions: XP (9.0 Beta), Vista, Mac, Web, Mobile

Thank you for using our services !!!
Please take this opportunity to let your friends use about this new software by sending them the source.

Copyright © 2008 Yahoo! Inc. All rights reserved. Copyright/IP Policy | Terms of Service |Guide to Online Security

Relevant advertising creates a better web experience. See how

NOTICE: We collect personal information on this site.

To learn more about how we use your information, see our Privacy Policy

In this case the target file to download is msgr8.5us.exe, VirusTotal detection is pretty good.

Expect to see a LOT of these over the next few days, either themed for the Olympics or the war in South Ossetia. Although the subject will always change, a crash course in user education can help to mitigate the risk.

ISC: "More SQL Injections - very active right now"

The Internet Storm Center has published technical details on the Chinese-based SQL injection attack which may be of interest to SQL administrators and programmers and also security specialists. It also flags up another javascript file to look for: csrss/w.js

Keep an eye out for log activity pointing to this file. Blocking the entire .cn TLD will probably do very little harm for most businesses.

Asprox: block 91.203.93.4 and js.js

A shift in behaviour from the Asprox botnet - this time all traffic from infected sites is being redirected through a fixed IP at 91.203.93.4. Blocking 91.203.93.0/24 will probably do no harm.

Also, the name of the javascript file has changed to js.js, so look for this in your logs.

The Silent Noise blog is tracking Asprox domains too, with some interesting developments that we haven't had the chance to dig deeper into.

Asprox domains: 5/8/08

Current Asprox domains to look for in your blogs or block. These have all been active for 3 or 4 days now, which is an unusually long time for this current SQL injection attack.

• 8hcs.ru
• 98hs.ru
• bgsr.ru
• bywd.ru
• ibse.ru
• ncbw.ru
• nwj4.ru
• ojns.ru
• porv.ru
• uhwc.ru

Asprox domains: 2/8/07

These are the currently active Asprox domains to check for. They are all very recently registrations.

• 8hcs.ru
• 98hs.ru
• bgsr.ru
• bywd.ru
• ibse.ru
• ncbw.ru
• nwj4.ru
• ojns.ru
• porv.ru
• uhwc.ru

The SQL Injection war

Dancho Danchev had has some very good writeups on the current round of SQL injection attacks. This post on copycat attacks caught my eye, because it shows that there's more than one crew at work here.

If anything, this situation is likely to get worse. The tools needed to carry out a SQL injection attack are now almost available off-the-shelf, the attacks are obviously financially successful because they have been ongoing now for some months, and enumeration of vulnerable servers can be done through Google or Yahoo if you don't want to bother crawling the web.

Identifying and blocking domains helps, but it isn't a real solution. Most of these attacks are thwarted by a fully patch client (and I do mean all the software on the client, the Secunia Software Inspector can help here or some other decent audit tool). Using Firefox + NoScript is a good idea for the technically savvy. But ultimately, the best way of fighting this is to secure or shut down infected SQL servers. Don't be afraid to use the abuse@ email address where a web site is posing a continuing threat.

Asprox domains: 29/7/08

These are this morning's active Asprox domains. New ones are in bold.

• b4so.ru
• bce8.ru
• bjxt.ru
• bnsr.ru
• bosf.ru
• bsko.ru
• ch35.ru
• gty5.ru
• iroe.ru
• jve4.ru
• kj5s.ru
• kjwd.ru
• kpo3.ru
• kr92.ru
• ncb2.ru
• ncwc.ru
• nemr.ru
• njep.ru
• nmr43.ru
• oics.ru
• pfd2.ru
• po4c.ru

Asprox domains: 28/7/08

These seem to be the current Asprox domains to block or check for. New ones are in bold.

• bs04.ru
• bce8.ru
• bjxt.ru
• bnsr.ru
• bosf.ru
• bsko.ru
• ch35.ru
• iroe.ru
• jve4.ru
• kjwd.ru
• kodj.ru
• kpo3.ru
• kr92.ru
• ncb2.ru
• ncwc.ru
• nemr.ru
• nmr43.ru
• oics.ru
• pfd2.ru
• po4c.ru

ngg.js still seems to be the name of the javascript file injected into compromised hosts.

Asprox domains: 25/7/08

These domains seem to be active today, new ones in bold.

• bce8.ru
• ch35.ru
• iroe.ru
• jve4.ru
• kjwd.ru
• kodj.ru
• kpo3.ru
• kr92.ru
• ncwc.ru
• nemr.ru
• nmr43.ru
• pfd2.ru
• po4c.ru

One oddity - the URL zvz.cc/forums/8L0/join.upq has been spotted as a redirector for these Javascript exploits. Google list zvz.cc that as a malware infected site, it is hard to tell though if this is just another victim or part of the C&C for the botnet. For the record, these are the WHOIS details.. but they might not mean very much.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ZVZ.CC

Registrant:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Creation Date: 09-Apr-2008
Expiration Date: 09-Apr-2009

Domain servers in listed order:
ns2.zvz.cc
ns1.zvz.cc

Administrative Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Technical Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Billing Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Status:ACTIVE

Asprox: jve4.ru, nmr43.ru and po4c.ru

Three new Asprox domains that have gone live in the past few hours, probably some more on the way. Either block these or check your logs if you are a network admin.

• jve4.ru
• nmr43.ru
• po4c.ru

Asprox domains: 23/7/08 - Part II

Just a couple more to add:

• cgt4.ru
• kc43.ru

Asprox domains: 23/7/08

A shift in domains used by the Asprox crew - these new domains are all in the .ru TLD and are registered via NauNet (contact details here). ngg.js is still the name of the Javascript file to look for, I suspect that vrcgoo.js might be a new name to keep an eye out for too.

• 4cnw.ru
• 4vrs.ru
• 5kc3.ru
• 90mc.ru
• 9jsr.ru
• bts5.ru
• chds.ru
• cvsr.ru
• d5sg.ru
• ecx2.ru
• gb53.ru
• h23f.ru
• jex5.ru
• jvke.ru
• keec.ru
• keje.ru
• kgj3.ru
• lkc2.ru
• lksr.ru

For most organisations, blocking the entire .ru TLD will probably do no harm as these are usually always Russian language sites.

Asprox domains: 16/7/08

The following Asprox SQL Injection domains appear to be active today. New ones are in bold.

• adwnetw.com
• adpzo.com
• ausbnr.com
• brcporb.ru
• btoperc.ru
• cdport.eu
• cdrpoex.com
• gbradde.tk
• grtsel.ru
• korfd.ru
• movaddw.com
• tctcow.com
• usabnr.com

ngg.js still seems to be the name of the script file. Block these sites and/or check your logs.

Asprox domains: 15/7/08

Another bunch of Asprox SQL Injection domains, new ones are in bold.

• adpzo.com
• adwnetw.com
• ausbnr.com
• bkpadd.mobi
• butdrv.com
• cdport.eu
• cdrpoex.com
• cliprts.com
• gbradde.tk
• gbradp.com
• gitporg.com
• hdrcom.com
• loopadd.com
• movaddw.com
• nopcls.com
• porttw.mobi
• pyttco.com
• tctcow.com
• tertad.mobi
• usabnr.com

These are still using ngg.js in the injected code.

Asprox domains: 10/7/08

These seem to be the currently active Asprox SQL Injection domains to block or check for. New ones are in bold.

• adwnetw.com
• ausadd.com
• ausbnr.com
• bnsdrv.com
• butdrv.com
• cdrpoex.com
• crtbond.com
• destad.mobi
  
• destbnp.com
• drvadw.com
• gbradw.com
• loopadd.com
• movaddw.com
• nopcls.com
• porttw.mobi
• pyttco.com
  
• tertad.mobi
  
• usaadw.com
• usabnr.com

No prizes for guessing that Vivids Media GmbH handled the registrations.

Two more new ones as well:

• bkpadd.mobi
• tctcow.com

Asprox domains: 9/7/08

Another shift in the Asprox SQL Injection domains, still registered with Vivids Media GmbH. As ever, check your logs or block them.

• adwnetw.com
• ausadd.com
• ausbnr.com
• bnsdrv.com
• butdrv.com
• cdrpoex.com
• cliprts.com
• crtbond.com
• destbnp.com
• drvadw.com
• gbradp.com
• gbradw.com
• hdrcom.com
• loopadd.com
• movaddw.com
• nopcls.com
• tctcow.com
• usaadp.com
• usaadw.com
• usabnr.com

Asprox domains: 7/7/08 and another SQL Injection mitigation article

Another batch of Asprox domains are active today - it also seems that those from 3rd July are still running too. I advise that you check your logs for these or block them:

• adbtch.com
• aladbnr.com
• allocbn.mobi
• adwadb.mobi
• apidad.com
• appdad.com
• asodbr.com
• asslad.com
• blcadw.com
• blockkd.com
• bnradd.mobi
• bnrbase.com
• bnrbasead.com
• bnrbtch.com
• browsad.com
• brsadd.com
• canclvr.com
• catdbw.mobi
• clrbbd.com
• dbgbron.com
• ktrcom.com
• loctenv.com
• lokriet.com
• mainadt.com
• mainbvd.com
• portadrd.com
• portwbr.com
• stiwdd.com
• ucomddv.com
• upcomd.com

If you're looking at ways of protecting your server against these SQL injection attacks, then Sophos has a blog entry called Avoiding SQL injection attacks which looks like a good starting point.

Asprox domains: 3/7/08 and ngg.js

The Asprox domains used in the current round of SQL Injection attacks have shifted again, the ones to check for or block are:

• adwadb.mobi
• allocbn.mobi
• canclvr.com
• catdbw.mobi
• ktrcom.com
• lokriet.com
• mainbvd.com
• portwbr.com
• stiwdd.com
• testwvr.com
  
• upcomd.com
• ucomddv.com
  

The malicious javascript file has also changed to ngg.js (usually it is b.js or m.js or similar). If you're using Google Alerts or similar to monitor your own site or sites of interest, you might want to change the search string to something like "script src=http:" .js site:oceanic-air.com (replace the domain name with the site you want to monitor).

Asprox domains: 2/7/08

These seem to be the currently active domains used in the Asprox SQL Injection attack. Registrar of choice at the moment is Vivids Media GMBH (if they really exist) via Directi Internet Solutions (publicdomainregistry.com).

• adupd.mobi
• adwste.mobi
• bnrupdate.mobi
• cntrl62.com
• config73.com
• cont67.com
• csl24.com
• debug73.com
• default37.com
• get49.net
• pid72.com
• pid76.net
• web923.com

Best advice to to block access to these sites and check your logs.

Asprox: new domains including .mobi

Another set of domains used in the Asprox SQL Injection attack: bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adwsupp.com,supbnr.com, suppadw.com, dl251.com, aspx49.com, kadport.com, tid62.com, and batch29.com.

It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.

Asprox: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com

Another bunch of domains coming up in the latest batch of Asprox SQL Injection attacks: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com - check your logs for these.

SQL Injection: bnradw.com

Another SQL Injection domain to block or watch out for in your logs - bnradw.com.

Other than that, the bad guys seem to have been quiet for a couple of days, however it does look like they've managed to exploit 3 million or so pages (according to Yahoo!) so it could just be that they are very busy.

SQL injection: pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com, chinabnr.com

More SQL Injection domains, this time pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com and chinabnr.com. Probably a good idea to check your logs and/or block access to these sites.

No change in the method of attack, and the cleanup of SQL servers is proceeding pretty slowly. It's clear that some sites are not going to be fixed any time soon, so if you see a site that hasn't been secured then perhaps a complaint to their web host might help.

msmvps.com, msinfluentials.com and Spyware Sucks offline

I'm a regular reader of Spyware Sucks and was surprised to see that it had been offline for a few days. It turns out that the server that runs the msmvps.com blogging service (used by main Microsoft specialists) got infected with this nasty.

The Google cache of the SBS Diva Blog throws up this information:

In getting ready for the upgrade to CS 2008 I was trying to make some special backups... that wouldn't work. Well in digging into the matter more, that' service that is missing some files which is causing the peer to peer backups between Brianna and Yoda to fail.. isn't a real service at all.

http://www.sophos.com/security/analyses/viruses-and-spyware/w32rbotgos.html

We have backups so first thing tomorrow morning I'll be calling PSS Security to, more than anything else find out the "how" this happened.

Bottom line we got a critter on the box and I didn't (intentially anyway) put it there.

And to check to see if Yoda should be quarantened (aka web server turned off) to protect web visitors as well. So if the blog goes off the air a bit we're just doing it to better protect viewers.

and

In looking at the log files and event logs of Yoda, I'm not liking what I'm seeing... so the blog site at www.msmvps.com and www.msinfluentials.com will be offline starting at 7p.m. Pacific possibly until Friday.

Apologies for the inconvenience to all the bloggers on the site and we'll get back online as soon as we can.

Microsoft recommends that any systems found to be compromised or suspected of being compromised be formatted and re-installed from a known good build (i.e. operating system CD + all security patches while disconnected from the network). CERT has a good web site that provides information on recovering from security incidents located at: http://www.cert.org/nav/recovering.html

Oh well.. it can happen to anyone.

HTM Hell

One feature of these recent SQL Injection attacks is that the same sites will get repeatedly hit. So an infected site might have any number of malware-laded domains injected into the code. Click the image below to see a snippet from a really badly infected site.


The interesting thing about these attacks is that they are not very reliable. It's perfectly possible to visit an infected site and have the javascript fail to load because that particular node of the fast flux botnet is offline - but where there are several calls to several different domains, then the likelihood of infection is much greater. The upside is that any sharp-eyed user should notice something odd with these badly infected pages.

chkadw.com

The latest domain in the SQL Injection attacks is chkadw.com (i.e. pointing to www.chkadw.com/b.js). Domain is registered to a (probably fake) Chinese contact through a Chinese registrar. Delivery mechanism and payload seem to be identical to the latest attacks.

Yet more SQL injection domains

Keep an eye out for datajto.com, dbdomaine.com, upgradead.com, clsiduser.com, clickbnr.com, bnrcntrl.com, domaincld.com, jetdbs.com, updatead.com, all pointing to b.js (e.g. www.dbdomaine.com/b.js) - all forming part of the latest SQL injection attack.

Registrar is VIVIDS MEDIA GMBH - let's see if they clean up their act.

If you're in tech support, check your outbound logs for connections to these domains. If you're an end user then I'd recommend Firefox with Noscript as a good way to protects youself.

One to watch: js.users.51.la

What the heck is js.users.51.la? In fact, where the heck is .la anyway? And why am I asking?

As I've mentioned before, there are possibly two gangs carrying out the current round of SQL Injection attacks, one possibly based in China and one based in Russia. Their techniques are very similar, but the seem to have distinct differences.

js.users.51.la appears in many of the "Chinese" exploits - 51.la itself appears to be a legitimate web counter site. Presumably part of the bad guys' statistical tracking system the js.users.51.la domain is combined with what appears to be a randomly named .js file.

This doesn't appear to be a malware site in itself, but it could be a useful thing to look for in your proxy logs as it may well help track down machines that have visited infected sites. Either search for js.users.51.la or perhaps just 51.la as part of your normal audit process.

Where is .la? Officially it is Laos, but the TLD is also being punted as "Los Angeles" by www.la. No clue there, but the fact that all the signups for 51.la are in Chinese really does indicate that there's a Chinese connection here.

advabnr.com and adsitelo.com

SQL injection time again, this time with two new domains advabnr.com and adsitelo.com both loading a script called b.js (i.e. advabnr.com/b.js and adsitelo.com/b.js)

This is turning up on sites that have already been infected with other SQL injection attacks. The good news is that the new attacks seem to be smaller, indicating that people really are managing to secure their web servers.

Some notable infected sites (many of these have been cleaned up).

adsitelo.com

• bioimmune.com - BioImmune Inc (Health)
• immuquest.com - Health
• eyemdlink.com - Health
• tandberg.com - Tandberg (Electronics)
• techsol.com - Technology Solutions Company (ERP services)
• pollingcompany.com - The Polling Company (Market Research)
• spjc.edu - St Petersburg College
• judge.com - The Judge Group (jobs)

advabnr.com

• ibs.com - IBS, Inc (IT Services)
• outsourcingcentral.com - Business information
• mintek.com - Mintek Mobile Data Solutions
• engcen.com - Engineering jobs
• micronet.com - Digital storage

If you're searching for these domains yourself, I recommend using Yahoo! and Google as they give different results. Of course, these sites contain live malware so approach with caution.

bigadnet.com - lastest SQL injection domain

A continuation of the latest wave of SQL Injection attacks is bigadnet.com - many sites infected with "older" attacks have been "upgraded" to bigadnet.net. The inserted code to look for is www.bigadnet.com/b.js which then forwards to bigadnet.com/cgi-bin/index.cgi?ad - this in turn seems to be able to deliver a variety of malware.

bigadnet.com is running on a fast flux botnet, so it's highly distributed and resilient but not very reliable at actually delivering a payload.

UK Goverment sites hit by SQL Injection attacks

Do you trust the government with your personal data? A look at some recent national and local government sites that have been compromised with SQL injection attacks might make you think again.

• fco.gov.uk - Foreign and Commonwealth Office
• dfes.gov.uk - Department for Children, Schools and Families
• harrow.gov.uk - Harrow Council
• cwic.cornwall.gov.uk - Cornwall County Council
• cityoflondon.gov.uk - City of London
• corpoflondon.gov.uk - City of London
• nottinghamcity.gov.uk - Nottingham City Council
• relocateleicester-shire.gov.uk - Leicetershire County Council
• gos.gov.uk - Government Office Network
• lda.gov.uk - London Development Agency
• uktradeinvest.gov.uk - UK Trade & Investment
• dcalni.gov.uk - Northern Ireland leisure and tourism
• colchester.gov.uk - Colchester Borough Council
• countryside.wales.gov.uk - Welsh assembly
• cefngwlad.cymru.gov.uk - Welsh assembly
• broadband.cymru.gov.uk - Welsh assembly
• wmra.gov.uk - West Midlands Regional Assembly
• wmlga.gov.uk - West Midlands Local Government Association
• wycombe.gov.uk - Wycombe District Council
• southshropshire.gov.uk - South Shropshire District Council
• businesslink.gov.uk - Business Development
• shetland.gov.uk - Shetland Council
• unlockingessex.essexcc.gov.uk - Essex County Council
• southshropshire.gov.uk - South Shropshire District Council
• e-petitions.kingston.gov.uk - Kingston Borough Council
• clevelandfire.gov.uk - Cleveland Fire & Rescue
• surreyheath.gov.uk - Surrey Heath Council
• rbkc.giv.uk - Royal Borough of Kensington and Chelsea
• conwy.gov.uk - Conwy County Council

These are some example searches that show the problem (note that the search results will change over time, and the results themselves may lead to malware). Yahoo! examples: 1 2 3 4 5; Google examples: 1 2 3 4

Widen the search to sites containing .gov with a "b.js" exploit in (the most common), and you can see that government sites all over the world have been compromised, with Yahoo! estimating 11,000 infected pages. Think about it.. these should be trusted sites, but clearly they are not safe. Remember: there is no such thing as a trusted site anymore.

SQL Injection: advertbnr.com, logid83.com, script46.com, rexec39.com

Another batch of domains being used in SQL Injection attacks: advertbnr.com, logid83.com, script46.com, rexec39.com. Sanitize your inputs.

It looks like a lot of recent domains have been suspended by their registrar, some of the recent domains are with Xin Net who have been spam-friendly in the past, but may be cleaning up their act.

Google indicates that around 668,000 web pages are infected, but a search at Yahoo! shows around 3,000,000 infected pages which is probably more accurate.

SQL Injection: sslnet72.com, encode72.com, bannerupd.com, err68.com, cookieadw.com

Another batch of domains showing up in SQL injected are sslnet72.com, encode72.com, bannerupd.com, err68.com, cookieadw.com.

Some notable compromised sites:

• ise.ie - Irish Stock Exchange
• pittsfield-ma.org - City of Pittsfield
• corangamite.vic.gov.au - Corangamite Shire, Victoria
• fdc.org.br - Brazilian government agency
• dailyu.com - Local newspaper
• www.humanrightsfirst.org - Campaigning organisation
• therecruitbusiness.com - Recruiting
• corporate-responsibility.org - Business information
• childcarefinancialaid.org - Financial information
• micronet.com - Computer storage
• tairawhiti.ac.nz - Tairawhiti Polytechnic, New Zealand

The payload at the moment is undertermined, and some of these sites will have been cleaned up. At the time of writing, Irish Stock Exchange at ise.ie is still compromised.

More SQL injection fun: view89.com, exe94.com and tag58.com

Yet more new domains in this never ending wave of SQL Injection attacks: view89.com, exe94.com and tag58.com. Infected sites load a malicious javascript from www.view89.com/b.js or www.tag58.com/b.js which redirects through exe94.com/cgi-bin/index.cgi?ad - that in turn might try any number of things to infect the visitor's PC.

flyzhu.9966.org and exec51.com SQL injection attacks

More in the ever morphing world of SQL injection attacks. Sites that were hit with the xiaobaishan.net attack are now directing to flyzhu.9966.org/us/Help.asp and sites previously infected with en-us18.com are now pointing to www.exec51.com/b.js

9966.org appears to be a dynamic DNS service, exec51.com is a fast flux botnet. My best guess is that there are two rival groups performing SQL injections, one of them is Chinese and the other Russian.

The nature of the botnet means that the payload delivery is a bit erratic, but with a bit of effort exec51.com coughs up a reference to fake anti-spyware site advancedxpdefender.com. That tries to install a trojan which is pretty well detected by most AV products.

Thanks also to Amir who pointed us in the direction of his guide to preventing SQL injection attacks - if your server has been hit by one of these exploits, then it might be useful to you.

win496.com, tag58.com, rundll841.com and sslput4.com: another SQL injection attack

Yet another SQL injection attack doing the rounds, this time inserting references to www.win496.com/b.js, www.tag58.com/b.js and www.rundll841.com/b.js. The javascript redirects to sslput4.com/cgi-bin/index.cgi?ad. (Obviously, don't visit these sites unless you know what you are doing!)

All the domains run on a distributed botnet and were freshly registered this morning to a no-doubt fake address:

whois -h whois.crsnic.net win496.com ...
Redirecting to DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

whois -h whois.PublicDomainRegistry.com win496.com ...
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291

Domain Name: WIN496.COM

Registrant:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Creation Date: 04-Jun-2008
Expiration Date: 04-Jun-2009

Domain servers in listed order:
ns4.win496.com
ns3.win496.com
ns2.win496.com
ns1.win496.com


Administrative Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Technical Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Billing Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Status:ACTIVE

There are probably several different payloads, one we have seen is the Danmec trojan which drops a file called aspimgr.exe into the SYSTEM32 folder (more details here, here and here). The payload delivery may be randomised, it seems to be quite difficult to determine exactly what is going on.

If your server has been infected, then you need to do more than just clean it up.. you need to sanitize your SQL inputs. You can read more details of how SQL injections works here.

Right now it is difficult to say how many sites are impacted as the domains are really very new.

Added: you can add sysid72.com/b.js to this list too. That was registered 5 days ago, and a Google search already shows over 2000 hits. Also locale48.com has infected over 4000 pages in the same time frame.

en-us18.com, libid53.com and rundll92.com SQL injection attack

Another bunch of at least three domains (perhaps more) being used in SQL injection attacks are en-us18.com, libid53.com and rundll92.com. In each case the injected script points to b.js, and this then tries to redirect visitors to libid53.com/cgi-bin/index.cgi?ad

It looks like some sort of fast flux network based on a botnet, so it's not actually very reliable and as yet it hasn't delivered a payload in our lab. The ISC indicate that the attack serves up a couple of infected Flash banners, although in this case the redirector seems to be en-us18.com/cgi-bin/index.cgi?ad

At the moment, these merely serves up another redirector to MSN.com, but it would be easy enough for the botnet controllers to change it to a malicious payload.

Some notable infected sites:

• tcpmag.com (Technology magazine - again!)
• annefrank.org (Anne Frank Museum)
  
• galatta.com (Indian movies)
• onefootball.dk (Sport)
• tvoneonline.com (US TV station)
• belfastcity.gov.uk (UK local government)
• marketingprinciples.com (Marketing guide)
• hobsonsbay.vic.gov.au (Australia local government)

This is quite a fresh looking exploit, this is not comprehensive. It is very disappointing to see tcpmap.com listed yet again, and we've seen sister publication redmondmag.com infected before too.

xiaobaishan.net - yet another SQL injection attack

It looks like the sites hit by the chliyi.com attack have been hit again, this time with an injection to a script pointing at www.xiaobaishan.net/dt/us/Help.asp. Right at the moment, the www.xiaobaishan.net domain is not resolving, but it does appear to be hosted on 219.146.128.119 in China.

It looks like the domain may well be a legitimate one that has somehow been compromised and 219.146.128.119 looks like a pretty standard shared server.

It's possible that the chliyi.com infected sites were deliberately targeted, the resulting HTML is an awful mess though (see below).

Some notable infected sites:

• kcsg.com (again)
• sciencescotland.org (again)
• paramountcomedy.com (again)
• drdrew.com (again)
• gisp.org (again)
• legis.state.ia.us (Iowa State legislature)
• modernamuseet.se (Stockholm Museum)
• calbears.berkeley.edu (University)
• reportchildsex.com (Child protection)
• cas.org.uk (Citizen's Advice Scotland)
• tcpmap.com (Technlogy magazine)
• randomhouse.com.au (Random House publishers, Australia)
• ispyni.com (Northern Ireland tourism)

There are a number of other sites, notably in Ireland, Australia and Canada hit too.

This is not the only SQL injection attack doing the rounds today, and I suspect that some of them have been hit by another one pointing at en-us18.com/b.js

As an aside, these multiple SQL injections are really messy. A code snippet from sciencescotland.org demonstrates this:

pest-patrol.com is not the real PestPatrol - part II

The fake pest-patrol.com site we mentioned a few days ago has fixed its download problem and has given us a sample. Like many of these fake anti-malware sites, the executable morphs continually to avoid protection.

Detection rates are not good (VirusTotal results), and the real PestPatrol / eTrust product doesn't pick it up yet.

I strongly suspect that there's nothing good in the 85.255.112.0 - 85.255.127.255 range at all, and it is probably a good idea to block access to that entire IP block.

Antivirus;Version;Last Update;Result
AhnLab-V3;2008.5.22.1;2008.05.27;-
AntiVir;7.8.0.19;2008.05.27;SPR/Dldr.PestPatr.A
Authentium;5.1.0.4;2008.05.26;-
Avast;4.8.1195.0;2008.05.27;-
AVG;7.5.0.516;2008.05.26;-
BitDefender;7.2;2008.05.27;-
CAT-QuickHeal;9.50;2008.05.26;-
ClamAV;0.92.1;2008.05.27;-
DrWeb;4.44.0.09170;2008.05.27;-
eSafe;7.0.15.0;2008.05.26;-
eTrust-Vet;31.4.5826;2008.05.27;-
Ewido;4.0;2008.05.26;-
F-Prot;4.4.4.56;2008.05.26;-
F-Secure;6.70.13260.0;2008.05.27;-
Fortinet;3.14.0.0;2008.05.27;-
GData;2.0.7306.1023;2008.05.27;-
Ikarus;T3.1.1.26.0;2008.05.27;-
Kaspersky;7.0.0.125;2008.05.27;not-a-virus:Downloader.Win32.FraudLoad.bz
McAfee;5303;2008.05.26;-
Microsoft;1.3520;2008.05.27;-
NOD32v2;3134;2008.05.27;-
Norman;5.80.02;2008.05.26;-
Panda;9.0.0.4;2008.05.27;-
Prevx1;V2;2008.05.27;-
Rising;20.46.12.00;2008.05.27;-
Sophos;4.29.0;2008.05.27;-
Sunbelt;3.0.1123.1;2008.05.17;-
Symantec;10;2008.05.27;-
TheHacker;6.2.92.320;2008.05.26;-
VBA32;3.12.6.6;2008.05.27;-
VirusBuster;4.3.26:9;2008.05.26;-
Webwasher-Gateway;6.6.2;2008.05.27;Riskware.Dldr.PestPatr.A

chliyi.com - another injection attack

Thanks to Dancho Danchev for the heads up, it looks like there's another SQL injection attack on the loose, this time pointing to chliyi.com/reg.js, with about 10,000 hits currently on Google for a variety of sites.

Reportedly, this launches some sort of ActiveX attack via obfuscated VBscript. This is another good reason not to use Internet Explorer, as most other browsers do not support ActiveX and are not vulnerable.

Unlike some other recent injection attacks, this one seems to use a legitimate domain called chliyi.com - unfortunately for the bad guys, the registration on the domain is going to run out pretty soon.

Domain Name.......... chliyi.com
Creation Date........ 2003-06-12 11:21:39
Registration Date.... 2003-06-12 11:21:39
Expiry Date.......... 2008-06-12 11:21:39
Organisation Name.... junrong shen
Organisation Address. dongxiaoqiao3-1-104
Organisation Address.
Organisation Address. suzhou
Organisation Address. 215006
Organisation Address. JS
Organisation Address. CN

Admin Name........... shen junrong
Admin Address........ dongxiaoqiao3-1-104
Admin Address........
Admin Address........ suzhou
Admin Address........ 215006
Admin Address........ JS
Admin Address........ CN
Admin Email.......... wzh@hisuzhou.com
Admin Phone.......... +86.51265678898
Admin Fax............ +86.51257306265

Tech Name............ zhihui wang
Tech Address......... suzhou
Tech Address.........
Tech Address......... suzhou
Tech Address......... 215021
Tech Address......... JS
Tech Address......... CN
Tech Email........... wzh@hisuzhou.com
Tech Phone........... +86.5169697639
Tech Fax............. +86.5167621807

Bill Name............ zhihui wang
Bill Address......... suzhou
Bill Address.........
Bill Address......... suzhou
Bill Address......... 215021
Bill Address......... JS
Bill Address......... CN
Bill Email........... wzh@hisuzhou.com
Bill Phone........... +86.5169697639
Bill Fax............. +86.5167621807
Name Server.......... dns22.hichina.com
Name Server.......... dns21.hichina.com

The IP address of the server is 218.30.96.87 which is not in the Spamhaus DROP list which indicates again that the chliyi.com might well be legitimate, just compromised.

This is another attack that goes to show that "there is no such thing as a safe site". A scan of the Google results comes up with some interesting (and alarming) infected sites:

• forces.ca - Canadian military
• paramountcomedy.com - Paramount Comedy (Cable TV channel)
  
• kcsg.com - KCSG (Utah TV station)
• umnh.utah.edu - University of Utah
• digital.lib.ecu.edu - East Carolinia Unitersity
• chapel.duke.edu - Duke University
  
• drdrew.com - Dr Drew (relationship advice)
• gisp.org - Global Invasive Species Program
  
• sciencescotland.org - Royal Society of Scotland
  
• moffitt.org - H. Lee Moffitt Cancer Center and Research Institute
• confetti.co.uk - Confetti (Wedding planning)
  
• buildabear.com - Build-a-Bear Workshop
  
• delluniversity.com - Dell
• trelleborg.com - Trelleborg AB (Polymer manufacturer)
  

None of these are huge sites when it comes to traffic, but there are some well-known names there and certainly some which you would hope would be more secure. Out of the other infected sites, it seems that the US Canada, Australia, the UK and Ireland seem to have the biggest cluster of infected sites with very few showing outside those countries.

This is not a comprehensive list of infected sites, and many of these sites will have been cleaned up.

If you are running an SQL server, then the rule is to secure your inputs, else you will get attacked again and again.