The Latest in IT Security

Dissecting the Ongoing Mass SQL Injection Attack

21
Oct
2011



The ongoing mass SQL injection attack, has already affected over a million web sites. Cybercriminals performing active search engines reconnaissance have managed to inject a malicious script into ASP ASP.NET websites.


From client-side exploits to bogus Adobe Flash players, the campaign is active and ongoing. In this intelligence brief, we’ll dissect the campaign and establish a direct connection between the campaign and last March’s Lizamoon mass SQL injection attack.

SQL injected domains:
nbnjki.com/urchin.js – 146.185.248.3 – Email: [email protected]
jjghui.com/urchin.js – 146.185.248.3 – Email: [email protected]
bookzula.com/ur.php – 146.185.248.3 – Email: [email protected]
bookgusa.com/ur.php – 146.185.248.3 – Email: [email protected]

Responding to 146.185.248.3 is also file-dl.com; bookfula.com and bookvila.com – Email: [email protected]

Detection rate for urchin.js:
urchin.js – Trojan.JS.Redirector – 17/42 (40.5%)
MD5   : 4387f9be5af4087d21c4b44b969a870f
SHA1  : 8a47842ccf6d642043ee8db99d0530336eef6b99
SHA256: 975e62fe1d9415b9fa06e8f826f776ef851bd030c2c897bc3fbee207519f8351

The redirections take place as follows:

  • bookzula.com/ur.php -> www3.topasarmy.in/?w4q593n= – Email: [email protected] -> firstrtscaner.rr.nu
  • nbnjkl.com/urchin.js -> power-wfchecker.in/?1dlia916= – Email: [email protected]

[email protected] has also been used to register the following scareware-serving domains:
uberble-safe.in
uberate-safe.in
best-jsentinel.in
topantivir-foru.in
personalscannerlg.in
rideusfor.in
hardbsy-network.in
enablesecureum.in
hardynauchecker.in
best-jsentinel.in
smartklhdefense.in
smartaasecurity.in
personal-scan-4u.in
unieve-safe.in
safe-solutionsoft.in
hugeble-cure.in
topsecuritykauu.in
personalcleansoft.in
powerscanercis.in
topksfsecurity.in
hard-antivirbjb.in
strong-guardbxz.in
smart-suiteguard.in
thebestkrearmy.in
smart-guardianro.in
freeopenscanerpo.in
best-networkqjo.in
hard-antivirbjb.in
smartantivir-scanner.in
most-popularsoftcontent.in
bester-msecuriity.in
doneahme.in
strong-checkerwrt.in
safepowerforu.in
safe-securityarmy.in
personal-bpsentinel.in
personalcleansoft.in
ostestsystemri.in
saveinternet-guard.in
just-perfectprotection.in
firstholdermvq.in
just-perfectprotection.in
allcle-safe.in
brawaidme.in
uniind-safe.in
moreaz-fine.in
trueeox-safe.in
safexanet.in
personal-internet-foryou.in



For the time being, the campaing is redirecting to a fake YouTube page enticing users into downloading a bogus Adobe Flash player in order to view the video.

Detection rate for the bogus Adobe Flash player:
scandisk.exe – Backdoor:Win32/Simda.A – 8/43 (18.6%)
MD5   : fb4c93935346d2d8605598535528506e
SHA1  : 0ff7ccd785c0582e33c22f9b21156929ba7abaeb
SHA256: b204586cbac1606637361dd788b691f342cb1c582d10690209a989b040dab632

Upon execution the sample phones back to:
209.212.147.141/chrome/report.html
98.142.243.64/chrome/report.html

The Lizamoon mass SQL injection connection

The same email used to register the SQL injected domains [email protected] has been used to register the Lizamoon mass SQL injection attack domains extensively profiled here – “Dissecting the Massive SQL Injection Attack Serving Scareware“.

Related posts:

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

Leave a reply


Categories

SATURDAY, DECEMBER 16, 2017

Featured

Archives

Latest Comments

Social Networks