-
SQL Injection Attacks Targeting Chinese-oriented Sites
With all the attention on China these days, especially in conjunction with the Beijing 2008 Olympics Games, and with ‘China’ being one of the more popular search engine keywords at the moment, it makes sense for malware writers to focus their attention on the Chinese web – and we’ve been seeing some interesting examples of SQL injection attacks specifically targeting website designed for a Chinese audience, whether from the mainland or overseas.
Like most SQL injection attacks, these attacks begin with a compromising script being injected into a legitimate site, compromising it and redirecting its users to a malicious website. This website then takes advantage of the vulnerabilities available on the user’s computer to download and execute malicious programs.
In one of the samples we received, a close look at the obfuscated URL showed that users of the compromised website were being redirected to ‘hxxp://vc??.cn’. Though this malicious website was first reported in April 2008, it is still live and infectious today. Additional mirror sites include pdh0??.cn, iihao??.cn, qqhao??.cn, yyhao??.cn, zzhao??.cn and more, but they all redirect users to two sites hosting the most invasive programs: jzm0??.cn and hby0??.cn.
The ‘vc??.cn’ website basically functions like a transit station, deciding which website the user gets shunted to next, depending on what browser they are using. Whichever route they take, they are finally infected with a password stealer trojan, which we detect as Trojan-GameThief.Win32.OnLineGames.snsq.
The interesting thing about this particular SQL injection attack is that a number of vulnerabilities the malware writers exploit are most likely to be used by Chinese websites, and by extension are targeted specifically towards Chinese (or Chinese-language literate) visitors. For example, the Baidu Soba Remote Code Execute Vulnerability is more or less exclusive to the Chinese web, as is the Sina DLoader Class ActiveX Control 'DonwloadAndInstall' Method Arbitrary File Download Vulnerability.
That's not to say that non-Chinese visitors won't be affected by this attack, as a specially crafted Flash file exploiting Adobe Flash Player Integer overflow (CVE-2007-0071) is also served. When the webpage is loaded, it forcefully floods the user’s computer memory beyond its capacity, then takes advantage of the computer’s attempts to correct the problem to execute its own hidden code. If the user hasn’t updated their Flash Player to newer versions than those targeted, their computer is vulnerable.
For such users then, the best advice would be to run the F-Secure Health Check to determine if your computer has all the latest updates and most importantly, don't click on any suspicious links related to the Olympics!
Response Team post by — Lordian & Alia On 08/08/08 At 07:17 AM
-
Black Hat and DEF CON
Greetings from Las Vegas, it's again that time of the year.
Black Hat 2008 is in full swing and DEF CON will start tomorrow.
On the first day of Black Hat the most popular presentation was, as could be expected, Dan Kaminsky's DNS talk. The room was totally packed while Dan went through in detail what exactly was the story behind the biggest vulnerability announcment of the year.
Dan actually spent most of his talk coming up with creative ways on how to exploit this DNS problem and combine it with other vulnerabilities - quite creative. Bottom line; if DNS doesn't work, pretty much nothing will work.
We have a presentation of our own coming on Sunday at noon in DEF CON, when Teo and Hirosh from our labs will talk about how to fight new types of phishing.
Signing off,
Mikko On 07/08/08 At 04:15 PM
-
F-Secure Khallenge III Results
Khallenge III was over the weekend, here are the current solution statistics:
Level 1: 393
Level 2: 20
Level 3: 8
During the run of the competition, the final level was solved by 4 people:
1. Igor Skochinsky (iPod Touch 32GB)
2. Kaspars Osis (iPod Touch 16GB)
3. "bbuc" (t-shirt)
4. Ludvig Strigeus (t-shirt)
Igor & Kaspars are returning winners from previous Khallenge competitions (1) (2). Great job guys!
Runners-up:
Alexander Polyakov, "Lancert", "push.ret", "Hellspawn", V. Usatyuk, "Piotras", "ASMax"
Level 1 contains a hidden message, here are the winners:
1. Alexandru Maximciuc (t-shirt)
2. Volodymyr Pikhur (t-shirt)
3. Richard Baranyi (t-shirt)
On a personal note, while designing the challenges I've been wondering if level 2 was too difficult. The statistics have proven it was. However, according to your responses, it was great fun! I'm glad to hear that many people enjoyed it. Next year though, we'll aim to get the challenges into a bit better balance. ;-)
The Khallenge.com website will be online until 12th of August. After that, you'll be able to get the files directly form our security center website:
http://www.f-secure.com/security_center/asm.html
Signing off,
Kamil
On 05/08/08 At 11:01 AM
-
Khallenge has started
F-Secure reverse engineering Khallenge has started.
You can download the first level now from www.khallenge.com.
Results can be viewed in realtime from the same site.
Good luck!
Updated to add: Over 50 people solved the 1st level during the first hour of the Khallenge - but no solutions for level 2 yet...
Updated to add: By Saturyday noon, the situation looked like this:
Very nice. Official results will be announced later. On 01/08/08 At 10:00 AM
-
Assembly 2008 Khallenge
Assembly Summer 2008 demoscene party is in full swing in Helsinki, Finland!
Assembly, one of the oldest and largest demo parties anywhere has around 5000 geeks gathered together for four days. Many of the techniques used in demo coding are interesting to us working in a virus lab: the fastest demos are written in low-level assembler, and to fit within the tight size limits (such as 4kB or 64kB), some of these demos use really advanced compressing techniques.
To get a feeling on what's happening at the party, you might want to tune in to AssemblyTV.
Once again, as a sponsor of the event, F-Secure is running a reverse-engineering competition known as KHALLENGE. Your task is to decode three programs to find hidden information. Fastest solvers win new iPods and a visit to our viruslab.
Khallenge will begin tomorrow, Friday the 1st of August 2008 at 12:00 local Assembly time.
You can read more about the competition from Khallenge.com and review the rules from Assembly 2008 website.
Do note that khallenge.com will only be operational during the party. On 31/07/08 At 01:38 PM
|
News Feeds