Obfuscating Fast-fluxed SQL Injected Domains

Thursday, July 17, 2008

Obfuscating Fast-fluxed SQL Injected Domains

It's all a matter of how you put it, and putting it like represents a good example of tactical warfare, namely, combining different tactics for the sake of making it harder to keep track of the impact of a particular SQL injection campaign. Consider the following examples of obfuscated domains, naturally being in a fast-flux in the time of the SQL injection that several Chinese script kiddies were taking advantage of :

%6b%6b%36%2e%75%73 - kk6.us

%73%61%79%38%2E%75%73 - s.see9.us

%66%75%63%6B%75%75%2E%75%73 - fuckuu.us

%61%2E%6B%61%34%37%2E%75%73 - a.ka47.us

%61%31%38%38%2E%77%73 - a188.ws

%33%2E%74%72%6F%6A%61%6E%38%2E%63%6F%6D - 3.trojan8.com

%6D%31%31%2E%33%33%32%32%2E%6F%72%67 - m11.3322.org

As always, these obfuscations are just the tip of the iceberg considering the countless number of other URL obfuscations techniques that spammers and phishers used to take advantage of on a large scale. For the time being, one of the main reasons we're not seeing massive SQL injections using such obfuscations is mostly because the feature hasn't been implemented in popular SQL injectors for copycat script kiddies to take advantage of. However, with the potential for evasion of common detection approaches, it's only a matter of personal will for someone to add this extra layer to ensure the survivability of the campaign.

The folks behind these obfuscations are naturally multitasking on several different underground fronts. Take for instance 3.trojan8.com (58.18.33.248) also responding to w2.xnibi.com which is also injected at several domains, w2.xnibi.com/index.gif to be precise. The fake .gif file in the spirit of fake directory listings for acquiring traffic in order to serve malware, is actually attempting to exploit a RealPlayer vulnerability - JS/RealPlr.LB!exploit. The deeper you go, the uglier it gets.

Related posts:

Yet Another Massive SQL Injection Spotted in the Wild

Malware Domains Used in the SQL Injection Attacks

SQL Injection Through Search Engines Reconnaissance

Google Hacking for Vulnerabilities

Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Sony PlayStation's site SQL injected, redirecting to rogue security software

Redmond Magazine Successfully SQL Injected by Chinese Hacktivists

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com

Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

Thursday, July 17, 2008

Obfuscating Fast-fluxed SQL Injected Domains

No comments:

Post a Comment