Home of ABS Computer Technoloogy, Linux and Security Consultants Network Security solutions from our security experts Security solutions for Internet and Network technologies Some of our services for Linux, security, and hosting Contact us







Click here to register.



Bookmark and Share

 

Best of Pittsburgh Award for Systems Engineering Consulting

 

A Better Bureau Approved Company

We are proud to be a Better Business Bureau Accredited Business.

When you look to secure your business, start with an Accredited Business for your security needs.

 

Accept Credit Cards Online

 

SQL Injection Attacks claim another 132,000+

User: aewhale
Date: 12/11/2009 8:00 am
Views: 300
Rating: 0    Rate [
|
]

SQL injection attack claims 132,000+

Posted on 10 December 2009.

A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009.


Infection sequence

Injected iframe - <script src=hxxp://318x.com>
Executes a script that creates a new iframe to 318x.com/a.htm. That iframe (a.htm) does 2 things:

1. Loads a second iframe from aa1100.2288.org/htmlasp/dasp/alt.html
2. Loads a script: js.tongji.linezing.com/1358779/tongji.js (used for tracking).

The aa1100.2288.org/htmlasp/dasp/alt.html frame:
  • Creates a third iframe pointing to aa1100.2288.org/htmlasp/dasp/share.html
  • Loads a script: js.tongji.linezing.com/1364067/tongji.js (similar to above, but different number)
  • If <noscript> it has an href tag that points to www.linezing.com with an img src of img.tongji.linezing.com/1364067/tongji.gif
The share.html detects browser type and writes/loads multiple iframes pointing to obfuscated script files located in the same directory (all are javascript regardless of extension). The combined action results in checks for MDAC, OWC10, and various versions of Adobe Flash. Depending on the results, the malcode then delivers one of several possible exploits.

Observed exploits include:
  • Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
  • MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
  • Microsoft Office Web Components vulnerabilities described in MS09-043
  • Microsoft video ActiveX vulnerability described in MS09-032
  • Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.
Successful exploit leads to the silent delivery of hxxp://windowssp.7766.org/down/down.css. The file ‘down.css’ is actually a Win32 executable that is a variant of the Backdoor.Win32.Buzus family of trojans.

Malware description
Threatname: Backdoor.Win32.Buzus.croo
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

Drops the following files to the specified folder:
%UserProfile%\ammxv.drv
%ProgramFiles%\Common Files\Syesm.exe

Modifies the Registry to load when Windows is started:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
DrvKiller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\
DrvKiller\Security
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\
DrvKiller
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\
DrvKiller\Security

The malware contains a rootkit component which can prevent the dropped files and registry changes from being readily viewable.

Backdoor.Win32.Buzus.croo then attempts to contact 121.14.136.5 via port 80 and sends a POST request to hxxp://dns.winsdown.com.cn/Countdown/count.asp.
PreviousBackNext
 

Contact Us - Home - Site Map
© 2005-2010 ABS Computer Technology, Inc. - All Rights Reserved
SpamZapper® is the registered trademark of ABS Computer Technology, Inc.

Site Design - Marc Dorsett Graphic Artist