It seems to be the "in-thing" these days - using an automated tool to perform SQL injections against vulnerable sites across multiple domains. Although the attack method isn't new, some sites are hit multiple times, as evident by a corruption of the injection code when one attacker overwrite a previously injected record. Below, you can see cached search results when searching for a specific known script injection:
Image 1: Search results indicating embedded scripts - multiple attacks
In the above highlighted portion, note the beginning of an original script tag injection being superimposed with another script tag injection. Below, you can see the effect of multiple attacks on another site and as evident in the page source:
Image 2: HTML source indicating multiple embedded script tags from various SQL injection attacks
Speaking of SQL injections however, one has to wonder - what's all the hype? What are attackers after or what is their motive? It would seem that there are several motives, but one motive that may (or not) be surprising is the uprising in injecting code that executes multiple exploits in an attempt to download and execute game password stealers. Let me say that again - game password stealers.
We continue to monitor injected scripts, and add detections to cover various iterations - the threats are detected as "Trojan:JS/Redirector":
Image 3: Microsoft Forefront Client (FCS) Security Warning alert
Our friends over at ShadowServer have compiled a list of offending domains that are either compromised and don't know it, or are under control of an attacker and are hosting (or did host) malicious scripts or executables. Below is a list as of May 14 2008 of domains, courtesy of this link: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
nihaorr1.com free.hostpinoy.info xprmn4u.info nmidahena.com winzipices.cn sb.5252.ws aspder.com 11910.net bbs.jueduizuan.com bluell.cn 2117966.net s.see9.us xvgaoke.cn 1.hao929.cn 414151.com cc.18dd.net yl18.net kisswow.com.cn urkb.net c.uc8010.com rnmb.net ririwow.cn killwow1.cn qiqigm.com wowgm1.cn wowyeye.cn 9i5t.cn computershello.cn z008.net b15.3322.org direct84.com caocaowow.cn qiuxuegm.com firestnamestea.cn a.ka47.us a188.ws qiqi111.cn
Approximate # of Pages Injected 468,000 444,000 369,000 140,000 75,000 69,000 62,000 47,000 44,000 44,000 39,000 39,000 33,000 20,000 17,000 15,000 15,000 13,000 13,000 9500 7000 6000 4000 3600 3500 2800 2500 2300 1600 1200 1100 900 800 700 600 500 230
I was reviewing the 'qiqi111.cn' attack and learned that the malicious script requested files from these domains: 'pigzd.cn' and 'dota11.cn'. I decided to follow the white rabbit, taking the first domain and I began to retrieve the malicious script 'am6.htm' (identified already as "Exploit:JS/Repl.B").
The script 'am6.htm' contains a handful of attack methods, attempting exploits to download and execute more code:
Image 4: Source code of 'am6.htm' illustrating the attack methods
I know what you're saying, "what the heck, what are all these iframes?", so let's take a quick look at them:
So with five opportunistic attacks, the odds increase in favor of acquiring some Internet nasties and we will continue to monitor these attacks.
During our research, we analyzed some of the malicious scripts. More details about these scripts are available at our Microsoft Malware Protection Center Encyclopedia: http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.H http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.I http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.J http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.K http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.L http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.M http://www.microsoft.com/security/portal/Entry.aspx?Name=Trojan:JS/Redirector.N
Additional resources and recommendations are available from the Security Vulnerability Research & Defense team: http://blogs.technet.com/swi/archive/2008/05/29/sql-injection-attack.aspx
and from Bala Neerumalla, Microsoft Corporation, who discusses common coding mistakes in ASP code that can lead to SQL Injections in the following article: http://msdn.microsoft.com/en-us/library/cc676512.aspx
-- Patrick Nolan