Massive SQL Injection Redux!

Publicated on : 1211935021
A new wave of massive SQL injection is spreading while we speak. Symantec raised the threat level to yellow[1] based upon the news. I went on to analyze the current threat and noticed that it is a variant of the previous one, but this time a new Flash vulnerability[2] is being exploited in the latest Flash player, as well as old Real player flaws that are still alive. The current Google search gave me around 58.000 infected websites that had Javascript in the title as well as other HTML objects and locations. This indicates the same approach as before, and undoubtedly done by the same group of attackers.



The new propagating hosts are two servers in China namely:

http://www.dota11.cn
 

http://www.woai117.cn

I queried Google for the websites and analyzed the results. I took a random batch of samples, to test them upon programming mistakes. It showed me that nearly every websites was vulnerable to parameter SQL injection targeting solely Microsoft ASP based webapplications. As you can see below, a simple parameter injection on the samples proves the theory that the attackers are not targeting specific software, but rather perform a random approach and most likely utilize the search engines to locate vulnerable ASP webapplications.



Six random chosen samples from Google. Notice the single quotes I put there to illustrate the problem:

http://www.hyundaiXXXum.nl/page_dealer.asp?dealerId=14801'&sPageID=100,050,000
 

http://guestbook.netXXXcs.nl/guestbook.asp?Name=BostonTeaParty&Page=2'
 

http://www.neXXXline.be/reizen/hotels_stad.asp?stadcode=1911'
 

http://www.dieXXXl.be/blog/template_permalink.asp?id=133'
 

http://www.bocXXXudt.nl/page_dealer.asp?sPageID=100,010,100&id=33&model=TERRACAN&dealerId=10798'
 

http://www.nXXXen.org/webb/nordnamn/ViewPersons.asp?pid=1854'&lang=6&m_id=6&m_typ=Lowermenu

All these sites gave SQL errors upon pentesting them with a single quote, indicating a vulnerable webapplication that the attackers successfully injected with malware.



update: I wrote a PDF file, because AV software seems to choke on the examples I provided previously. The analysis with code samples can be downloaded here:



http://www.0x000000.com/mirror/MassiveSQLInjectionAnalysis.pdf (15 p. approx. 136KB)



My conclusion is that the person(s) who wrote this malware and their idea of propagating it through SQL injection, are not very cautious. They do obfuscate a lot of code, but their problem of getting noticed so quickly is because of the identical signatures they leave behind. In my opinion, they should drop the title injection, because that can be queried upon very reliably. That leads to the idea that this is a fairly new way of propagating malware through many websites that it is not perfect yet. So either this is a learning curve for the attackers, or they are pragmatic in their approach and want to spread malware quickly for various reasons without the care of being spotted. In either case, for the security industry it is a stroke of luck because it can be made much more stealthy as we see here.



Well, I guess the game is on. I think webapplication hacking is here to stay for a long time and certainly replaced many other forms of attacking surfers because of it's enormous scalability webapplications hold. The last massive SQL injection victimized over half a million websites! And this beast just got his wings.



By the way, anyone interested in developing/sponsoring Synapse now? :)



[1] http://www.symantec.com/security_response/threatconlearn.jsp

[2] http://www.securityfocus.com/bid/29386