FYI...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514

Updates now noted at bottom of page:
"Page last modified on May 21, 2008, at 07:49 AM"

FYI...

Full list of Injected Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Page last modified on June 01, 2008, at 09:04 PM
Warning: We strongly suggest that readers NOT visit websites mentioned as being behind the attacks discussed. They should be considered dangerous and capable of infecting your system.
Below is a list of domains used in the mass SQL injections that insert malicious javascript into websites. We've also included an approximate number of pages infected (according to Google)...
Some of these have been re-injected by URL encoding the script names. So if a host/domain shows up in parentheses and also in the list unencoded, these were two separate injection runs..."

("Full list..." at the URL above.)

FYI...

New sql injection site with fastflux hosting
- http://isc.sans.org/diary.html?storyid=4519
Last Updated: 2008-06-02 22:13:22 UTC - "One of our frequent contributors notified us of a new sql injection site.
hxxp ://en-us18 .com /b.js is being injected via sql into websites.
When I googled for it I saw 560 injected webpages. “b.js injects an iFrame which points to
hxxp ://en-us18 .com/cgi-bin/index.cgi?ad which in turn embeds two Flash files:

advert.swf: http://www.virustotal.com/analisis/d6ffe290e9938d3e646f82c536abd0c7
banner.swf: http://www.virustotal.com/analisis/83be3d4d30eb60d92272625634a3babc

This appears to be fast fluxed or at least setup to change rapidly based on this dig output... A second dig a few minutes later produced similar but slightly different results. So this domain is changing. I guess they got tired of people blackholing their ip address. So in that case I would recommend you dns blackhole that domain."

And the list just keeps on growing...

Full list of Injected Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Page last modified on June 05, 2008, at 07:10 AM

Ongoing growth... ugh.

Full list of Injected Sites
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Page last modified on June 11, 2008, at 11:16 AM

FYI...

SQL Injection: More of the same
- http://isc.sans.org/diary.html?storyid=4565
Last Updated: 2008-06-13 16:13:57 UTC - "...How to defend against this?
The "simple" answer is of course to just not have any SQL injection faults. But that's easier said then done, in particular for an existing legacy application. A couple other things you can do:
* limit the database user the web application uses. Maybe it doesn't have to update anything, or only few tables
* Monitor your web application for SQL errors. These statements may create some errors if your web application doesn't have sufficient privileges
* keep a close eye on your data and your application. Look for new javascript in titles and other spots that shouldn't have any..."

(More detail at the ISC URL above.)

FYI...

- http://preview.tinyurl.com/64qke6
June 17, 2008 (trustedsource.org/blog) - "MTV France has become another victim of the “Latest Wave of SQL Injection Attacks“. The web site and the RSS feed are heavily infected with several malicious scripts as seen in the screenshot... Each of the malicious domains are serving a script called ‘b.js’ which is related to the “Danmec” malware family (a.k.a. “Asprox”). These domains are hosted on a “fast-flux” network of compromised computers which could also relay spam messages... The biggest concern with the infected RSS feed is that every RSS reader or web site, including the content from MTV France, will host the malicious scripts on their web sites. In a quick test with a WordPress 2.1.3 installation, the full content (including the script) was included in the blog and not filtered out. This is one example of the threat posed by Web 2.0 content mash-ups, where someone is including generated content via feeds into his web site and thereby just spreading the malicious code further."

(Screenshots available at the URL above.)

FYI...

Microsoft SQL Injection Prevention Strategy
- /p1100680-MS_Security_Advisories.html#1100680
2008-06-24

FYI...

- http://www.theregister.co.uk/2008/06/26/microsoft_hp_sql_injection_tools/
26 June 2008 - "...ScanSafe, a company that monitors websites for malicious behavior, reports* a new wave of SQL-injection attacks that harnesses infected PCs to search out and attack vulnerable websites. Sites that are compromised, in turn, install backdoors on visitors' machines, creating a worm-like characteristic. The so-called Asprox attacks are distinct from a recent swarm of SQL attacks that over the past few months... The entry of Asprox suggests other malware gangs may be adopting the technique after seeing the success of their competitors..."
* http://preview.tinyurl.com/5cyo99
June 26, 2008 (ScanSafe STAT blog) - "The Asprox botnet began pumping out a fresh round of SQL injection attacks yesterday... The Asprox botnet causes infected computers (bots) to become the attack mechanism. Some of the bots are instructed to upload the SQL injection attack tool, which then queries search engines to find susceptible sites and attempts to exploit any found. Successful exploit results in compromised websites that silently attempt to infect visitors' computers. Other bots are used as hosts for the malware; these hosts appear to be using the Neosploit framework. Asprox uses fast flux, thus a single malware domain called by the compromised site may resolve to one of a number of IP addresses (i.e. one domain name may resolve to any one of a number of attacker-controlled victim computers commandeered to act as malware hosts)... a large number of the trafficked compromised sites appear to be from the manufacturing sector, particularly among companies involved in the manufacture or distribution of heating and cooling systems... the malware dropped in the June SQL injection attacks has shifted to backdoors and proxy Trojans - infections which add to the overall size of the Asprox botnet. The June attacks also appear to have some roots in the Ukraine and Malaysia, rather than China..."

FYI...

More SQL Injection with Fast Flux hosting
- http://isc.sans.org/diary.html?storyid=4645
Last Updated: 2008-07-01 04:46:52 UTC ...(Version: 5) - "...More fast flux domains redirecting to other domains which then redirect to the malware site. What's interesting about this one is it doesn't look like they are using exploits to install the malware, they are redirecting to a fake AV site which fools users into installing the malware. Some of the domains hosting the injected js are as follows:
hxxp :// updatead .com
hxxp :// upgradead .com
hxxp :// clsiduser.com
hxxp :// dbdomaine.com
b.js then redirects to several domains which host a cgi script
hxxp :// kadport .com /cgi-bin/indes.cgi?ad
hxxp :// hdadwcd .com /cgi-bin/index.cgi?ad
Which then redirects to ad.js which redirects the user to
hxxp :// spyware-quick-scan .com?wmid=1041&I=14&it=1&s=4t
This site attempts to trick the user into installing installer.exe
AV coverage is decent:
http://www.virustotal.com/analisis/92b4fc4e4d3551ef4945cbff173e67d8
...This post has a nice running list of domains: http://infosec20.blogspot.com/2008/06/asprox-sql-injection-botnet-and-iframe.html
The cause seems to be the ASPROX bot kit, which got some SQL injection capabilities in mid-May, see http://www.heise-online.co.uk/security/Asprox-botnet-now-equipped-with-SQL-injection-tool--/news/110742 .
Dr. Ulrich's post http://isc.sans.org/diary.html?storyid=4565 lays out very nicely how it all happens... The folks at ShadowServer are keeping a comprehensive and updated list at:
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514
Page last modified on June 30, 2008, at 02:05 PM ..."

FYI...

Detecting scripts in ASF files
- http://isc.sans.org/diary.html?storyid=4664
Last Updated: 2008-07-03 08:11:02 UTC - "Back in April, I wrote a diary about an interesting ASF files that had a script stream included ( http://isc.sans.org/diary.html?storyid=4355 ).The script stream caused Windows Media Player to use Internet Explorer to retrieve content from a URL embedded in the script. As you can probably already guess, the URL lead to a web site serving some malware. Some other AV vendors picked this as well. I asked if some of our readers know of a utility that would allow us to extract script streams from ASF files. Initially I found that there is a utility from Microsoft, Windows Media File Editor, that allows one to list script commands. One of our readers, James Dean, did a great job and wrote a small utility that allows you to list embedded script commands from command line, without using any GUI tools. This is great for batch analysis of multiple ASF files. You just need to create a directory, put all ASF files into it and run the tool with the directory name as a parameter.
...I compiled it for Windows. You can download the ZIP archive here*. MD5 of the ZIP archive is c9e5bba11051cfbc98dfa451442a71e8. With some modifications this can work on Linux as well – if you have time to modify the code let us know and we'll post the code for Linux as well since a lot of researchers use it..."
* http://handlers.sans.org/bzdrnja/findasfcommands.zip

FYI...

Sony PlayStation website hacked
- http://www.theregister.co.uk/2008/07/03/playstation_hack/
3 July 2008 - "Gamers visiting the US Sony PlayStation website risk malware infection after the site was hit by hackers. SQL injection vulnerabilities on the site were used by miscreants to load malicious code on pages showcasing the PlayStation games SingStar Pop and God of War, net security firm Sophos reports*. The code promotes scareware to visitors, which falsely claims that their computers are infected with computer viruses to frighten them into purchasing software of little or no security utility... Sophos informed Sony of the website vulnerabilities, which were purged by Thursday morning. The attack is the latest in a wave of SQL injection attacks that have turned the websites of legitimate organisations into conduits for drive-by download assaults. Recent victims have included the website of tennis regulators ITF and ATP, the professional players tour and Wal-Mart. Large-scale SQL Injection attacks starting around October 2007 have hit a large number of small sites as well as high-profile targets..."
* http://www.sophos.com/security/blog/2008/07/1540.html

Update... 7.4.2008

- http://atlas.arbor.net/summary/fastflux
"...Currently monitoring -6508- fastflux domains..."

FYI...

- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080705
5 July 2008 - "...People are saying they were compromised by SQL Injection, but when I dig a little deeper I find that what actually happened was some user went to somegoodsite.com and ended up compromised. If you're one of those people, this blog's for you...
Understanding the Danmec/Asprox Attacks...
Basically, the attacker launches an SQL injection attack against somegoodsite.com. SQL injection attacks try to exploit trust relationships between web applications and the databases that support them in order to add, remove or modify data in databases in ways it was never intended. In the case of the Danmec/Asprox attacks, the intent of the SQL injection is to add a single line of HTML code to the database so that somegoodsite.com will present it to every user who visits the site.
The initial code has been an HTML "script" command, which is used to define a segment of code for your browser to run. The difference in the Asprox/Danmec attacks though, is that the code segment to run is malicious javascript hosted at evilsite.net. This is called a drive-by download.
Innocent user wasn't targeted directly by the attacker's SQL injection. Instead, innocent user was harmlessly surfing the web during his 1 hour lunch break and got something more than he bargained for from somegoodsite.com. Evilsite.net then looks at the information presented by innocent user's system and determines that evilsite2.net is hosting an exploit that should be effective. Evilsite.net then issues an IFRAME redirect command telling innocent user's browser to contact evilsite2.net (all without any interaction from innocent user). Finally, evilsite2.net provides a working exploit which compromises innocent user's machine. These compromises can be in the form of keyloggers, botnets, backdoors, or any other nasiness an attacker can drum up. Since this exploit is reliant on innocent user's web client downloading and executing the malicious code on its own, we call this a client-side attack.
So the moral of the story is that somegoodsite.com got compromised by SQL injection. Your users got compromised by redirects, drive-by-downloads and client-side attacks."

(Graphic available at the Shadowserver URL above.)

FYI..

Governmental, Healthcare, and Top Business Websites have fallen victims to the new round of Asprox mass attack
- http://www.finjan.com/MCRCblog.aspx?EntryId=2002
Jul 16, 2008 - "... The attack toolkit is designed to first search Google for webpages with the file extension [.asp] and then launch SQL injection attacks to append a reference to the malware file using the SCRIPT tag. During the first two weeks of July 2008, Finjan... detected over 1,000 unique Website domains that were compromised by this attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, we believe this is just the tip of the iceberg for the scope and impact of this attack. Among the compromised websites we found were those of respectable organizations, governmental institutes, healthcare organizations as well as high-ranked websites... Each of the 160 different domains hosting [b.js] and [ngg.js] [fgg.js] points to the location of the malicious file which was unique to each and every one of them.
The pointed iframe loads an obfuscated JavaScript code which then downloads and executes the malware on the victim machine automatically. The exploit provided by writers of the new version of NeoSploit toolkit, which uses a refreshing code for the obfuscation (using the location of the page as part of the obfuscation function)... The malicious code of the above script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation:
* MDAC Vulnerability
* QuickTime rtsp Vulnerability
* AOL SuperBuddy ActiveX Control Code Execution Vulnerability
Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine..."

(Screenshots available at the URL above.)

Also see:
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080705