Home > Uncategorized > The New SQL Injection Attack

The New SQL Injection Attack

Just in time for the Holidays—a new, extremely sophisticated SQL injection attack that may have already infected up to 300,000 Web pages has been detected. Perpetrators are using SQL injection to push a malicious iframe that is named script src=hxxp://318x.com into Web servers. (An iframe is an HTML structure that enables another HTML document to be put into an HTML page.) When a Windows user connects to one of these servers, this iframe redirects the user to a malicious Web site, www.318x .com, without the user’s knowledge. (Important note: please DO NOT CLICK ON THIS URL OR GO TO THIS SITE unless you want your system to become a victim of this attack!) It then runs a script that creates a new iframe that redirects the user’s browser to www.318x.com/a .htm (again, please DO NOT CLICK ON THIS URL OR GO TO THIS SITE), installs a second malicious iframe from aa1100.2288.org/htmlasp/dasp/alt.html, and then installs and executes a script named js.tongji.linezing.com/1358779/tongji.js (which used for tracking where the victim system is). This script creates a third malicious iframe that redirects the victim system’s browser to aa1100.2288.org/htmlasp/dasp/share.html. This script loads and executes yet another script named js.tongji.linezing.com/1364067/tongji.js and also determines the type of browser in the victim system. It then installs several more iframes used to point to hidden scripts that reside in the same directory. These scripts determine what version of Abode Flash Player the victim system has and then attempt to exploit five vulnerabilities in the user’s system:
• A vulnerability in MDAC ADODB.connection ActiveX (see Microsoft Bulletin MS07-009)
• A vulnerability in Internet Explorer uninitialized memory (see Microsoft Bulletin MS09-002)
• A vulnerability in Microsoft video ActiveX (see Microsoft Bulletin MS09-032)
• Vulnerabilities in Microsoft Office Web Components (see Microsoft Bulletin MS09-043)
• An integer overflow vulnerability in Adobe Flash Player (see CVE-2007-0071)
If any of these vulnerabilities is present, a Trojan program, Backdoor.Win3.croo, is installed on the victim system. This piece of malware, which is a variant of the Buzus Trojan, steals banking information that includes among other things account names, passwords, and PINs. Backdoor.Win3.croo also has rootkit functionality, enabling it to avoid detection by anti-virus and other software on infected systems. This Trojan then creates files in two folders:

%ProgramFiles%\Common Files\Syesm.exe
%UserProfile%\ammxv.drv

It then makes changes to the following Registry keys to ensure that the malware starts whenever the system is booted:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DrvKiller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\DrvKiller\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DrvKiller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\DrvKiller\Security

Finally, the Trojan tries to connect to port 80 of IP address 121.14.136.5 to send information it gleans.

A wide variety of Web sites is being used to inject this malware into users’ systems; parisattitude .com, knowledgespeak .com,and yementimes.com are just a few of these sites. Even the Iowa City, Iowa municipal site was taken over by the perpetrators. Security vendor ScanSafe reported that about two percent of Web connections it had analyzed were to infected sites—a statistic that I consider alarming!

I checked and found that most anti-virus and anti-malware vendors have updates that detect and eradicate this ugly Trojan. If I were you, I’d thus make sure that all your anti-virus and anti-malware software has the latest update. Additionally, you should ensure that all five vulnerabilities that are being exploited in these attacks are patched in all your Windows systems. Furthermore, you should block outbound traffic from your network that is bound for port 80 of IP address 121.14.136.5 and all URLs for sites that the malicious iframes visit. Finally, you should configure intrusion detection and intrusion prevention systems as well as firewalls to monitor all attempts to reach this IP address and the URLs, as these attempts will almost certainly indicate the existence of compromised Windows systems.

Categories: Uncategorized Tags:
  1. No comments yet.
  1. No trackbacks yet.
You must be logged in to post a comment.