Dissecting the Ongoing Mass SQL Injection Attack
The ongoing mass SQL injection attack, has already affected over a million web sites. Cybercriminals performing active search engines reconnaissance have managed to inject a malicious script into ASP ASP.NET websites.
SQL injected domains -- thanks to Dasient's Tufan Demir for the ping:
nbnjki.com/urchin.js - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com
jjghui.com/urchin.js - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com
bookzula.com/ur.php - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com
bookgusa.com/ur.php - 146.185.248.3 - Email: jamesnorthone@hotmailbox.com
dfrgcc.com/ur.php - Email: jamesnorthone@hotmailbox.com
statsl.com/ur.php - 111.22.111.111 - Email: jamesnorthone@hotmailbox.com
milapop.com/ur.php - Email: jamesnorthone@hotmailbox.com
jhgukn.com/ur.php - Email: jamesnorthone@hotmailbox.com
vovmml.com/ur.php - Email: jamesnorthone@hotmailbox.com
bookvivi.com/ur.php - Email: jamesnorthone@hotmailbox.com
Responding to 146.185.248.3 is also file-dl.com; bookfula.com and bookvila.com - Email: jamesnorthone@hotmailbox.com
Detection rate for urchin.js:
urchin.js - Trojan.JS.Redirector - 17/42 (40.5%)
MD5 : 4387f9be5af4087d21c4b44b969a870f
SHA1 : 8a47842ccf6d642043ee8db99d0530336eef6b99
SHA256: 975e62fe1d9415b9fa06e8f826f776ef851bd030c2c897bc3fbee207519f8351
The redirections take place as follows:
- bookzula.com/ur.php -> www3.topasarmy.in/?w4q593n= - Email: bill.swinson@yahoo.com -> firstrtscaner.rr.nu
- nbnjkl.com/urchin.js -> power-wfchecker.in/?1dlia916= - Email: bill.swinson@yahoo.com
uberble-safe.in
uberate-safe.in
best-jsentinel.in
topantivir-foru.in
personalscannerlg.in
rideusfor.in
hardbsy-network.in
enablesecureum.in
hardynauchecker.in
best-jsentinel.in
smartklhdefense.in
smartaasecurity.in
personal-scan-4u.in
unieve-safe.in
safe-solutionsoft.in
hugeble-cure.in
topsecuritykauu.in
personalcleansoft.in
powerscanercis.in
topksfsecurity.in
hard-antivirbjb.in
strong-guardbxz.in
smart-suiteguard.in
thebestkrearmy.in
smart-guardianro.in
freeopenscanerpo.in
best-networkqjo.in
hard-antivirbjb.in
smartantivir-scanner.in
most-popularsoftcontent.in
bester-msecuriity.in
doneahme.in
strong-checkerwrt.in
safepowerforu.in
safe-securityarmy.in
personal-bpsentinel.in
personalcleansoft.in
ostestsystemri.in
saveinternet-guard.in
just-perfectprotection.in
firstholdermvq.in
just-perfectprotection.in
allcle-safe.in
brawaidme.in
uniind-safe.in
moreaz-fine.in
trueeox-safe.in
safexanet.in
personal-internet-foryou.in
For the time being, the campaing is redirecting to a fake YouTube page enticing users into downloading a bogus Adobe Flash player in order to view the video.
Detection rate for the bogus Adobe Flash player:
scandisk.exe - Backdoor:Win32/Simda.A - 8/43 (18.6%)
MD5 : fb4c93935346d2d8605598535528506e
SHA1 : 0ff7ccd785c0582e33c22f9b21156929ba7abaeb
SHA256: b204586cbac1606637361dd788b691f342cb1c582d10690209a989b040dab632
Upon execution the sample phones back to:
209.212.147.141/chrome/report.html
98.142.243.64/chrome/report.html
update.19runs10q3.com - 65.98.83.115
The same phone back locations have been used in a variety of related malware -- thanks to Kaspersky's David Jacoby for the ping. For instance, in this malware sample that's also phoning back to the same URLs, we have active HOSTS file modification as follows:
See related post: Sampling Malicious Activity Inside Cybercrime-Friendly Search Engines
www.google.com.=87.125.87.99;
google.com.=87.125.87.103;
google.com.au.=87.125.87.104;
www.google.com.au.=87.125.87.147;
google.be.=77.125.87.148;
www.google.be.=77.125.87.149;
google.com.br.=77.125.87.109;
www.google.com.br.=77.125.87.150;
google.ca.=77.125.87.152;
www.google.ca.=77.125.87.153;
google.ch.=77.125.87.155;
www.google.ch.=77.125.87.158;
google.de.=77.125.87.160;
www.google.de.=77.125.87.161;
google.dk.=92.125.87.123;
www.google.dk.=92.125.87.160;
google.fr.=92.125.87.154;
www.google.fr.=92.125.87.134;
google.ie.=92.125.87.170;
www.google.ie.=92.125.87.177;
google.it.=92.125.87.173;
www.google.it.=92.125.87.147;
google.co.jp.=92.125.87.103;
www.google.co.jp.=84.125.87.147;
google.nl.=84.125.87.103;
www.google.nl.=84.125.87.147;
google.no.=84.125.87.103;
www.google.no.=84.125.87.147;
google.co.nz.=84.125.87.103;
www.google.co.nz.=84.125.87.147;
google.pl.=84.125.87.103;
www.google.pl.=64.125.87.147;
google.se.=64.125.87.103;
www.google.se.=64.125.87.147;
google.co.uk.=64.125.87.103;
www.google.co.uk.=64.125.87.147;
google.co.za.=64.125.87.103;
www.google.co.za.=64.125.87.147;
www.google-analytics.com.=64.125.87.101;
www.bing.com.=92.123.68.97;
search.yahoo.com.=72.30.186.249;
www.search.yahoo.com.=72.30.186.249;
uk.search.yahoo.com.=87.248.112.8;
ca.search.yahoo.com.=100.6.239.84;
de.search.yahoo.com.=87.248.112.8;
fr.search.yahoo.com.=87.248.112.8;
au.search.yahoo.com.=87.248.112.8;
ad-emea.doubleclick.net.=64.125.87.101;
www.statcounter.com.=64.125.87.101;
The Lizamoon mass SQL injection connection
The same email used to register the SQL injected domains jamesnorthone@hotmailbox.com has been used to register the Lizamoon mass SQL injection attack domains extensively profiled here - "Dissecting the Massive SQL Injection Attack Serving Scareware".
Related posts:
- SQL Injection Through Search Engines Reconnaissance
- Massive SQL Injections Through Search Engine's Reconnaissance - Part Two
- Massive SQL Injection Attacks - the Chinese Way
- Cybercriminals SQL Inject Cybercrime-friendly Proxies Service
- GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
- Dissecting the WordPress Blogs Compromise at Network Solutions
- Yet Another Massive SQL Injection Spotted in the Wild
- Smells Like a Copycat SQL Injection In the Wild
- Fast-Fluxing SQL Injection Attacks
- Obfuscating Fast-fluxed SQL Injected Domains
About the author
Donec non enim in turpis pulvinar facilisis. Ut felis. Praesent dapibus, neque id cursus faucibus. Aenean fermentum, eget tincidunt.
