Back in January there were multiple reports about a large number of web sites being compromised and serving malware. Fellow handler Mary wrote the initial diary at http://isc.sans.org/diary.html?storyid=3834.
Later we did several diaries where we analyzed the attacks, such as the one I wrote at http://isc.sans.org/diary.html?storyid=3823. Most of the reports about these attacks we received pointed to exploitation of SQL Injection vulnerabilities.
While even before we had a general idea about what they do during these attacks, and we knew that they were automated, we did not know exactly how the attacks worked, or what tools the attackers used. The strategy was relatively simple: they used search engines in order to find potentially vulnerable applications and then tried to exploit them. The exploit just consisted of an SQL statement that tried to inject a script tag into every HTML page on the web site.
The utility we recovered does the same thing. The interface appears to be is in Chinese so it is a bit difficult to navigate around the utility, but we did some initial analysis of the code (which is very big) to confirm what it does. You can see the interface below:
So what the tool does is this:
The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks. The tool has more functionality that we still have to analyze but this is the main purpose.
So, to finish this diary – a call to all web site owners – check your applications and make sure that they are not vulnerable. We covered this many times in various diaries, so here are few links to online resources that can help with this:
Apr 16th 2008
9 years ago