Monday, July 28, 2008

Smells Like a Copycat SQL Injection In the Wild

In between the massive SQL injections, that as a matter of fact remain ongoing, copycats taking advantage of the very same SQL injection tools using public search engine's indexes as a reconnaissance tools, are also starting to take advantage of localized and targeted attacks, attacking specific online communities. Among these is mx.content-type.cn /day.js using day.js to attempt multiple exploitation using publicly obtainlable exploits such as Adodb.Stream, MPS.StormPlayer, DPClient.Vod, IERPCtl.IERPCtl.1, GLIEDown.IEDown.1, and targeting primarily Chinese web communities.



Compared to a bit more sophisticated attack tactics applied by Chinese hackers, taking advantage of localized versions of the de facto web malware exploitation kits, those who don't have access to such continue using cybercrime 1.0 DIY exploit embedding tools at large. The rest of the SQL injected domains as well as the exploits themselves are parked on the same plaee - 222.216.28.25, also responding to :



down.goodnetads .org

ads.goodnetads .org

real.kav2008 .com

hk.www404 .cn

err.www404 .cn

mx.content-type .cn

sun.63afe561 .info

ads.633f94d3 .info

ads.1234214 .info

ad.50db34d5 .info

ads.50db34d5 .info

ad.8d77b42a .info

web.adsidc .info

free.idcads .info

free.cjads .info

ads.adslooks .info

list.adslooks .info

ad.5iyy .info




The SQL injected domains :

ads.633f94d3.info/day .js

ad.8d77b42a.info/day .js

ad.5iyy.info/day .js

free.idcads.info/day .js

efreesky.com/day .js

v.freefl.info/day .js




The internal structure :

free.idcads.info/f/index .htm

free.idcads.info/014 .htm

free.idcads.info/real11 .htm

free.idcads.info/real10 .htm

free.idcads.info/lz .htm

free.idcads.info/bf .htm

free.idcads.info/kong .htm

free.idcads.info/f/swfobject .js

ad.50db34d5.info//rm%5C/rm .exe




Parked domains responding to the command and control locations, 60.191.223.76 and 222.216.28.100 :

ftp.gggjjj .info

live.ads002 .net

log.goodnetads .org

dat.goodnetads .org

root.51113 .com

sun.update999 .cn

abb.633f94d3 .info

up.50db34d5 .info


web.cn3721 .org   

dat.goodnetads .org

cs.rm510 .com

sb.sb941 .com

k.sb941 .com

info.sb941 .com

day.sb941 .com

post.ad9178 .com

v.91tg .net




Centralizing their scammy ecosystem always makes it easier to monitor, keep track of, and of course, expose.



Related posts:

SQL Injecting Malicious Doorways to Serve Malware

Yet Another Massive SQL Injection Spotted in the Wild

Malware Domains Used in the SQL Injection Attacks

SQL Injection Through Search Engines Reconnaissance

Google Hacking for Vulnerabilities

Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Sony PlayStation's site SQL injected, redirecting to rogue security software

Redmond Magazine Successfully SQL Injected by Chinese Hacktivists