CyberInsecure.com

Another SQL Injection Worm Making Rounds With 4000 Websites Infected

Another SQL Injection worm is on the loose with about 4,000 websites infected since mid-April or a bit earlier. Right now it is unclear how do attackers access the databases, but what they are doing is putting in some scripts and IFRAMEs to take over and redirect visitors to PC infecting websites. The infection of user machines is by Real Player vulnerabilities. Those vulnerabilities are patched and detected by anti-viruses.

The script source that is injected into webpages is winzipices.cn/1.js (or 2.js, 3.js, 4.js, 5.js). This, in turn, points to a corresponding .asp page on the same address. This in turn points back to the exploits from cnzz.com or the 51.la. The cnzz.com (s141.cnzz.com) domain looks like it could be set up for single flux, but it’s the same pool of IP address all the time right now. The www.51.la just points to 51la.ajiang.net which has a short TTL, but only one IP is serving it.

According to researchers from ShadowServer, visiting a website injected with winzipices.cn 1.js, 2.js, 3.js, 4.js, or 5.js results in the following set of requests:

a direct link to the malicious binary at hxxp://61.188.38.158/images/test.exe, older RealPlayer Exploit in ierpplug.dll, recent RealPlayer exploit against CLSID 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93, recent RealPlayer exploit against CLSID 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93 (only for IE7 users).

It would appear that successful exploit attempts would result in a file called “test.exe” being download from 61.188.38.158. This just so happens to be the name of the file that was used in the recent attacks involving “nihaorr1.com”. However, these are very different binaries.

The malware installed is password stealer that would grab credentials from systems running Internet Explorer. The binary that is download by this attack appears to be part of a kit from Chinese malware family. The first thing this malware does once installed is download a configuration file. This configuration file has several commands and tells the system what to do next.

The malware is downloaded from http://61.188.38.158/images/test.exe and then once installed makes the following requests back to winzipices.cn:

hxxp://winzipices.cn/config.txt – GET request for the configuration file
hxxp://winzipices.cn/1.exe – GET requests for a binary to download and execute
hxxp://winzipices.cn/tong/post.asp?anyehorse=COMPUTER_NAME – GET request to report in the system name

The file 1.exe that is then installed from this trojan makes continuous outbound requests to 61.134.37.15 on port 1800.

Malware Binaries:

File MD5: 8ca53bf2b7d8107d106da2da0f8ca700 (test.exe) File Size: 28301 bytes

File MD5: 5c9322a95aaafbfabfaf225277867f5b (1.exe) File Size: 38400 bytes

Blocking access to the malicious domains and sites is recommended. Using a content filter, changing DNS entries, and blocking IP addresses are all valid methods. The malicious sites/IP addresses involved in this attack:

winzipices.cn [60.191.239.229]
61.188.38.158
61.134.37.15

Note that blocking by IP address could potentially block other legitimate pages on the host (not likely in this case). It’s also generally only valid or helpful for a short period of time as attackers frequently change both IP addresses and domain names.

Some attacks are also connected to SQL Worm from bbs.jueduizuan.com.

Users are advised not to visit the links and URLs mentioned above to avoid possible infection.

Posted in Malware, Mass Web Attacks, Trojans & Worms |  Print This Post