December, 2008 was marked by yet another widespread Koobface campaign, next to a massive SQL injection attack targeting Asian countries and serving the ex-Internet Explorer XML parsing zero day. Monitoring the attack closely and issuing abuse notices, it's worth pointing out that only two domains were SQL to target international sites, with the rest injected at Asian sites only.
This tactic once again demonstrates the dynamics of the international underground communities whose understanding of valuable stolen goods greatly differ based on the local market's demand for a particular item. For instance, stolen accounting data for a MMORPG is more than access to a stolen banking account on the Chinese underground marketplace, and exactly the opposite on the Russian underground marketplace. Interestingly, if the IE zero day was first discovered and abused in a targeted nature by Russian parties the very last thing they'd be serving is a password stealer for a MMORPG given the far more valuable from their perspective crimeware. Here are all of the SQL injected domains participating in the attack, with two Chinese groups responsible for them :
SQL injected domains currently active:
- c.nuclear3 .com/css/c.js (121.10.108.161; 121.10.107.233;70.38.99.97) also SQL injected as c.%6Euclear3 .com/css/c.js in a cheap attempt to avoid detection
- zs.gcp.edu .cn/z.js redirects to alimcma .3322.org/a0076159/a07.htm (121.12.173.218) and then to tongjitj.3322 .org/tj/a07.htm
- w.94saomm .com/js.js (58.53.128.177) redirects to clc2007.nenu.edu .cn/tt/swf.htm (218.62.16.47)
- idea21.org/h.js (66.249.130.142) redirects to idea21 .org/index1.htm
- yrwap .cn/h.js (59.63.157.71) redirects to kodim .net/CONTENT/faq.htm
Currently down, for historical preservation purposes and case building as these were exclusively serving the ex-IE zero day in December, 2008:
17gamo .com/1.js
s4d. in/h.js
dbios .org/h.js
armsart .com/h.js
acglgoa .com/h.js
9i5t .cn/a.js
qq117cc .cn/k.js
s800qn .cn/csrss/w.js
twwen .com/1.js
s.shunxing .com.cn/s.js
ko118 .cn/a.js
s.shunxing .com.cn/s.js
17aq .com/17aq/a.js
s.kaisimi .net/s.js
sshanghai .com/s.js
s.ardoshanghai .com/s.js
s.cawjb .com/s.js
mysy8 .com/1/1.js
mvoyo .com/1.js
nmidahena .com/1.js
tjwh202.162 .ns98.cn/1.js
Thankfully, the IE zero day attack in December is an example of a "wasted" zero day, with the potential for abuse not taken advantage of.
Related posts:
Massive SQL Injection Attacks - the Chinese Way
Yet Another Massive SQL Injection Spotted in the Wild
Obfuscating Fast-fluxed SQL Injected Domains
Smells Like a Copycat SQL Injection In the Wild
SQL Injecting Malicious Doorways to Serve Malware
SQL Injection Through Search Engines Reconnaissance
Stealing Sensitive Databases Online - the SQL Style
Fast-Fluxing SQL injection attacks executed from the Asprox botnet
Sony PlayStation's site SQL injected, redirecting to rogue security software
Redmond Magazine Successfully SQL Injected by Chinese Hacktivists
No comments:
Post a Comment