TTH Labs: New SQL Injection attack hits thousands of sites

by Steve Ragan - Aug 19 2010, 03:57

Update: (Vertical breakdowns)

As reported by The Register, Apple had two iTunes pages that were targeted by this attack. However, nothing suggests that anything other than these two were impacted on the Apple domain. Both pages are clean now, based on our inspections this morning.

By using Google to gauge the number of infections, it appears that this attack has been running for some time. Early examples of the VARCHAR alterations show Chinese university pages that were hit as far back as November 2009.Domains running on edu.cn, as well as edu.hk have been impacted.

Government sites in Brazil, China, and Malaysia have been targeted as well. When it comes to the UK, sites for businesses large and small are impacted, from wedding planning to industrial services such as manufacturing. There is also a scattering of EU domains that appear to be small business related, as well as personal domains. Australia is included as well, with several dozen sites.

There is a wide range of countries and vertical markets that were targeted by this attack, mostly in the manufacturing area and small business. If you’re curious, Russia has several domains impacted, but not as many as the big three, COM, NET, and ORG.

It is interesting to note that the automation is including other malicious IFRAMES as well. It appears that the attack list is being used by more than one person / group. The following domains are being used in addition to the one we reported on earlier.

hxxp://scarletpole.ru:8080
hxxp://blockoctopus.ru:8080
hxxp://nutcountry.ru:8080

We’ll keep following this, and report more details as we get them.

Original Article:

A new automated SQL Injection (SQLi) attack is circulating online. It appears to have hit tens of thousands of websites at the least. To make things worse, the attack is using a domain on a bulletproof server out of China, making it nearly impossible to knock offline, and has ties to the Zeus botnet.

The attack itself was first noticed by an administrator who reported a series of obfuscated records to SANS [link]. The statements use a CAST command, twice, which will change information from one type to another. The data within the CAST was in HEX and requests a VARCHAR conversion.

Once decoded, the SQL sentence contained the second CAST command, which when decoded shows an attempt to inject an IFRAME linking scripts from nemohuildiin.ru to the targeted site. The attack will attempt to update every VARCHAR column in the victim’s database by adding the malicious IFRAME.

This is where things get strange and interesting all at once.

Using one of the Windows boxes in the lab, we repeated the test by SANS and came up with the same conclusion, the injections are serving empty files. This means that while the injection attack itself has hit thousands of sites successfully, there is no malicious payload to speak of being delivered to the end user. 

 

 

Searching for domains with the IFRAME offers a grasp of the impact, but no real proof of the scale. Bing for example, shows almost 22,000 domains impacted by the automated attack, while Yahoo shows nearly 23,000. At the same time, Google counts 535,000.

[Google Search] [Yahoo Search] [Bing Search]

The domain nemohuildiin.ru is hosted in China on one of the known bulletproof hosts, AS4134 (China Net). In the past, this domain has been linked malicious emails pertaining to the Xerox WorkCentre Pro document scans, which we covered last month. According to Zeus Tracker, the domain is also an active Command and Control (C&C) Server for the Zeus botnet.

Google offers a few more details [link]. They report that AS4134 has played host to 3,008 domains that were directly linked to infections discovered on 20,803 sites. In the last 90 days, Google notes a total of 12,129 sites actively serving “…content that resulted in malicious software being downloaded and installed without user consent.”

After scanning nemohuildiin.ru on August 15 [link], Google reports 12 Trojans and 5 exploits on the domain. Symantec says that nemohuildiin.ru is a known host for a type of Malware designed to capture personal data (user names and passwords, banking details, etc.). This jives with the information offered by Google.

There is no denying the popularity of Rogue anti-Virus within the criminal underground as a way to make quick and easy money. This notion is fueled by the secondary domain, vamptoes.ru, used in the attack. It shares the same DNS as icq-antivirus.ru and anti-virus2010.ru. Both are known Rogue anti-Virus applications.

It is possible that the SQL Injections are a ramp-up to a scaled attack on users, as the hijacked sites have a wide reach, encompassing both private and government domains. This is inconclusive however.

For now, the lesson to walk away with is that webmasters should check their Web Applications for data input vectors, and make sure that information submitted is fully sanitized. Home users should constantly check to ensure that their anti-Virus and other security software is updated.

Another tip, from Manuel Humberto Santander Peláez at SANS, who got us interested in this attack, is for developers to use store procedures.

“Your web application should have predetermined SQL sentences for data access. If the user request some specific information, the application invokes the specific store procedure, so there is no possibility of crafting dynamic SQL request.”

IT administrators can also block all traffic from 59.52.0.0/14.

Around the Web