Yet more SQL injection domains

Keep an eye out for datajto.com, dbdomaine.com, upgradead.com, clsiduser.com, clickbnr.com, bnrcntrl.com, domaincld.com, jetdbs.com, updatead.com, all pointing to b.js (e.g. www.dbdomaine.com/b.js) - all forming part of the latest SQL injection attack.

Registrar is VIVIDS MEDIA GMBH - let's see if they clean up their act.

If you're in tech support, check your outbound logs for connections to these domains. If you're an end user then I'd recommend Firefox with Noscript as a good way to protects youself.

One to watch: js.users.51.la

What the heck is js.users.51.la? In fact, where the heck is .la anyway? And why am I asking?

As I've mentioned before, there are possibly two gangs carrying out the current round of SQL Injection attacks, one possibly based in China and one based in Russia. Their techniques are very similar, but the seem to have distinct differences.

js.users.51.la appears in many of the "Chinese" exploits - 51.la itself appears to be a legitimate web counter site. Presumably part of the bad guys' statistical tracking system the js.users.51.la domain is combined with what appears to be a randomly named .js file.

This doesn't appear to be a malware site in itself, but it could be a useful thing to look for in your proxy logs as it may well help track down machines that have visited infected sites. Either search for js.users.51.la or perhaps just 51.la as part of your normal audit process.

Where is .la? Officially it is Laos, but the TLD is also being punted as "Los Angeles" by www.la. No clue there, but the fact that all the signups for 51.la are in Chinese really does indicate that there's a Chinese connection here.

advabnr.com and adsitelo.com

SQL injection time again, this time with two new domains advabnr.com and adsitelo.com both loading a script called b.js (i.e. advabnr.com/b.js and adsitelo.com/b.js)

This is turning up on sites that have already been infected with other SQL injection attacks. The good news is that the new attacks seem to be smaller, indicating that people really are managing to secure their web servers.

Some notable infected sites (many of these have been cleaned up).

adsitelo.com

• bioimmune.com - BioImmune Inc (Health)
• immuquest.com - Health
• eyemdlink.com - Health
• tandberg.com - Tandberg (Electronics)
• techsol.com - Technology Solutions Company (ERP services)
• pollingcompany.com - The Polling Company (Market Research)
• spjc.edu - St Petersburg College
• judge.com - The Judge Group (jobs)

advabnr.com

• ibs.com - IBS, Inc (IT Services)
• outsourcingcentral.com - Business information
• mintek.com - Mintek Mobile Data Solutions
• engcen.com - Engineering jobs
• micronet.com - Digital storage

If you're searching for these domains yourself, I recommend using Yahoo! and Google as they give different results. Of course, these sites contain live malware so approach with caution.

bigadnet.com - lastest SQL injection domain

A continuation of the latest wave of SQL Injection attacks is bigadnet.com - many sites infected with "older" attacks have been "upgraded" to bigadnet.net. The inserted code to look for is www.bigadnet.com/b.js which then forwards to bigadnet.com/cgi-bin/index.cgi?ad - this in turn seems to be able to deliver a variety of malware.

bigadnet.com is running on a fast flux botnet, so it's highly distributed and resilient but not very reliable at actually delivering a payload.

UK Goverment sites hit by SQL Injection attacks

Do you trust the government with your personal data? A look at some recent national and local government sites that have been compromised with SQL injection attacks might make you think again.

• fco.gov.uk - Foreign and Commonwealth Office
• dfes.gov.uk - Department for Children, Schools and Families
• harrow.gov.uk - Harrow Council
• cwic.cornwall.gov.uk - Cornwall County Council
• cityoflondon.gov.uk - City of London
• corpoflondon.gov.uk - City of London
• nottinghamcity.gov.uk - Nottingham City Council
• relocateleicester-shire.gov.uk - Leicetershire County Council
• gos.gov.uk - Government Office Network
• lda.gov.uk - London Development Agency
• uktradeinvest.gov.uk - UK Trade & Investment
• dcalni.gov.uk - Northern Ireland leisure and tourism
• colchester.gov.uk - Colchester Borough Council
• countryside.wales.gov.uk - Welsh assembly
• cefngwlad.cymru.gov.uk - Welsh assembly
• broadband.cymru.gov.uk - Welsh assembly
• wmra.gov.uk - West Midlands Regional Assembly
• wmlga.gov.uk - West Midlands Local Government Association
• wycombe.gov.uk - Wycombe District Council
• southshropshire.gov.uk - South Shropshire District Council
• businesslink.gov.uk - Business Development
• shetland.gov.uk - Shetland Council
• unlockingessex.essexcc.gov.uk - Essex County Council
• southshropshire.gov.uk - South Shropshire District Council
• e-petitions.kingston.gov.uk - Kingston Borough Council
• clevelandfire.gov.uk - Cleveland Fire & Rescue
• surreyheath.gov.uk - Surrey Heath Council
• rbkc.giv.uk - Royal Borough of Kensington and Chelsea
• conwy.gov.uk - Conwy County Council

These are some example searches that show the problem (note that the search results will change over time, and the results themselves may lead to malware). Yahoo! examples: 1 2 3 4 5; Google examples: 1 2 3 4

Widen the search to sites containing .gov with a "b.js" exploit in (the most common), and you can see that government sites all over the world have been compromised, with Yahoo! estimating 11,000 infected pages. Think about it.. these should be trusted sites, but clearly they are not safe. Remember: there is no such thing as a trusted site anymore.

SQL Injection: advertbnr.com, logid83.com, script46.com, rexec39.com

Another batch of domains being used in SQL Injection attacks: advertbnr.com, logid83.com, script46.com, rexec39.com. Sanitize your inputs.

It looks like a lot of recent domains have been suspended by their registrar, some of the recent domains are with Xin Net who have been spam-friendly in the past, but may be cleaning up their act.

Google indicates that around 668,000 web pages are infected, but a search at Yahoo! shows around 3,000,000 infected pages which is probably more accurate.

Apple iPhone 3G

After lots and lots of rumours, the Apple iPhone 3G is finally here. It adds UMTS and HSDPA (3.5G), plus GPS and mapping. There's a new software platform, plus a number of other enhancements. But, really it's a bit disappointing.. the camera is still poor and you can't take out the battery.. and the 480 x 320 pixel display is so last year..

One surprising thing is that the iPhone will ship to 70 countries from July onwards. They've managed to do all that while keeping the iPhone 3G very quiet indeed.

Oh well, perhaps the iPhone 3 will finally be the one that fits in everything but the kitchen sink!

SQL Injection: sslnet72.com, encode72.com, bannerupd.com, err68.com, cookieadw.com

Another batch of domains showing up in SQL injected are sslnet72.com, encode72.com, bannerupd.com, err68.com, cookieadw.com.

Some notable compromised sites:

• ise.ie - Irish Stock Exchange
• pittsfield-ma.org - City of Pittsfield
• corangamite.vic.gov.au - Corangamite Shire, Victoria
• fdc.org.br - Brazilian government agency
• dailyu.com - Local newspaper
• www.humanrightsfirst.org - Campaigning organisation
• therecruitbusiness.com - Recruiting
• corporate-responsibility.org - Business information
• childcarefinancialaid.org - Financial information
• micronet.com - Computer storage
• tairawhiti.ac.nz - Tairawhiti Polytechnic, New Zealand

The payload at the moment is undertermined, and some of these sites will have been cleaned up. At the time of writing, Irish Stock Exchange at ise.ie is still compromised.

"Company Littmann Stethoscopes Co.Ltd" bogus job, spoofing medisave.net

medisave.net is an "under construction" website belonging to the wholly legitimate Medisave UK Ltd, a supplier of medical equipment.

Unfortunately, there is a fake job offer being sent out in Medisave's name. One twist is that the "From:" address is jobs@medisave.net, but the reply to address is littmannstethoscopeshelpdesk@gmail.com. The spammers are taking advantage of the fake the the "reply to" address is often not clear until the user clicks "reply", otherwise they tend to see the fake "from" address (note, medisave.net is not compromised and is not sending out these emails).

The job offer is likely to be some sort of money mule/money laundering scam. Really there's no need to dig further. Of interest is the fact the the email address has been harvested from a UK retailer and this is a UK-targeted spam.

From: Company Littmann Stethoscopes Co.Ltd
Reply-To: littmannstethoscopeshelpdesk@gmail.com
Subject: Online Job Opportunity (Apply Now )

Would you like to earn £5,000 in a week?

Reply Back for more details

100% legal No upfront payment from you.

Risk Free

Amazon.com - reverse pump and dump or blackmail?

I received this unintelligible email from an IP address in Russia (213.221.29.19), probably relating to the recent mystery outage at Amazon.com.

Subject: Amazon.com In what a problem?
Date: Mon, June 9, 2008 7:14 am

Hello!
News agency Reuters informs about not to working capacity of a site amazon.com in
current of two weeks since June, 9th and corresponding it to falling of share price. Be close
at work with them.

What gives? My best guess is that someone is trying to either drive the share price down (perhaps they have a put option), or perhaps it is part of some blackmail plot relating to the amazon.com outage.

Unfortunately for the bad guys, the email is completely incomprehensible. As spam, this one is definitely destined for the failboat.

Googling for SQL injection infected sites

A very rough and ready Google search shows (warning: results may lead to malware) 792,000 pages that were infected when Google visited the site. Sites that say "This site may harm your computer." can be considered as persistent offenders. Note also that the search results may have some false positives.

All very interesting, you might think. But if you work in an IT department, it can be very useful to find sites that your users might visit so that you can take action.. or perhaps you can even check your own business.

In this current round of attacks, the bad javascript file is called b.js, so you can find a lot of infected sites by Googling for "script src" b.js (you need to include the quotes). That gives hundreds of thousands of matches.

One obvious check is to add your company name, for example "script src" b.js "oceanic airlines", but Google is cleverer than that. If you use the "inurl" function, then you can search for sites in certain TLDs or with certain names. For example "script src" b.js inurl:gov lists several government sites, "script src" b.js inurl:oceanic would find results on sites such as oceanic-air.com, oceanicair.net, oceanic-air.co.uk.

You can narrow down results by country by using the Advanced Search (or you could just use the "national" Google site such as google.co.uk, google.ca etc). You can use other search engines too, but really Google has the most powerful searching options.

Of course, if you want to confirm if the site is still infected, then you will need to visit it. If you don't want all the hassle of firing up a Linux box, then one safe tool is SamSpade for Windows which allows you to look at the underlying HTML safely. It's a pretty old tool, and not perfect, but very useful for a number of tasks. Alternatively, WGET for Windows is more powerful and it allows you to download files in a command line (although care needs to be taken once they are on your machine). I tend to use both.

More SQL injection fun: view89.com, exe94.com and tag58.com

Yet more new domains in this never ending wave of SQL Injection attacks: view89.com, exe94.com and tag58.com. Infected sites load a malicious javascript from www.view89.com/b.js or www.tag58.com/b.js which redirects through exe94.com/cgi-bin/index.cgi?ad - that in turn might try any number of things to infect the visitor's PC.

Chinese "selling-domain" mails

Probably not a scam, and really only a moderate hit on the Spam-O-Meter, but there do seem to be a number of emails from a person called Liu offering to sell a .cn version of your .com domain.

Subject: selling-domain: ------.cn
From: ljp013@vip.163.com
Date: Thu, June 5, 2008 1:13 am


Hello
We have ------.cn and think it is useful for you to made a China Website and
to explore China market.

We are pleased to inform you that we are now engage an activity by which you
can purchase this domain only with $1000 USD. If you are interested in it
,please reply to us and discuss the domain tranfer matters.
We could finish the transaction through www.sedo.com which is a international
Domain trade agency.Then,sedo.com will help you transferred the domain.
China is the biggest market in the world £¡Dot.cn domains is a symbol of
enterprises in China£¡10,000,000 .cn domains are been registered£¡

At last,Sorry for the disturb if any.

Wish you a happy new year 2008, and welcome to our China to visit Olympic Games.

Best Regards.

Liu


=================

Appendix:
Some large international companies use .cn domain in China.
http://www.google.cn/ The world's largest search company google.com China Station
http://www.Amazon.cn The world's largest online bookstore amazon.com company
China Station
http://www.Yahoo.cn Yahoo.com he is the sub-stations in China

It used to be the case that anyone wanting to register a .CN name had to either live in China or have a business that operated in China, although this is no longer the case and it seems everyone can register a .CN name (some restrictions apply on names and content). Neulevel's FAQs on the .CN TLD are enlightening. There is a dispute policy if you feel that your domain name has been registered unfairly.

To be honest, I'm not at all bothered about .CN names and I certainly won't be shelling out $1000 for something I won't use. But as ever, if you want to protect your brand abroad then perhaps securing the .cn version of your domain might be a good idea, there's a list of registrars at CNNIC.

flyzhu.9966.org and exec51.com SQL injection attacks

More in the ever morphing world of SQL injection attacks. Sites that were hit with the xiaobaishan.net attack are now directing to flyzhu.9966.org/us/Help.asp and sites previously infected with en-us18.com are now pointing to www.exec51.com/b.js

9966.org appears to be a dynamic DNS service, exec51.com is a fast flux botnet. My best guess is that there are two rival groups performing SQL injections, one of them is Chinese and the other Russian.

The nature of the botnet means that the payload delivery is a bit erratic, but with a bit of effort exec51.com coughs up a reference to fake anti-spyware site advancedxpdefender.com. That tries to install a trojan which is pretty well detected by most AV products.

Thanks also to Amir who pointed us in the direction of his guide to preventing SQL injection attacks - if your server has been hit by one of these exploits, then it might be useful to you.

Redmondmag.com and related sites serving up malware

One notable name that keeps coming up with regards to the latest round of SQL Injection attacks is Redmondmag.com, published by 1105 Media, Inc as well as a number of sister sites. For a publication for IT professionals to be so badly impacted by SQL injection attacks raise some eyebrows.

A quick bit of Google searching shows how bad it is: a search for sysid72.com "1105 media" shows 35 infected pages belonging to virtualizationreview.com, visualstudiomagazine.com, redmondmag.com, reddevnews.com and certcities.com. Searching for xiaobaishan.net "1105 media" comes up with 121 matches for tcpmag.com and certcities.com. There are similar hits when searching for en-us18.com and locale48.com.

An alternative search you can do is b.js "1105 media" where this current batch of injected javascripts can clearly be seen (of course, this blog entry will also turn up for the same search string in time!)

This problem goes back to at least April when redmondmag.com was infected by the nihaorr1.com attack.

Here's the thing: the sites showing up in Google are not infected at the moment, but they were when Google crawled them. Clearly 1105 Media cleans up the attacks quickly, but it has not yet managed to secure its SQL server against injection attacks. Perhaps 1105 Media should read some of their own articles on the subject (see redmondmag.com/news/article.asp?editorialsid=9928 - visit at your own risk!)

win496.com, tag58.com, rundll841.com and sslput4.com: another SQL injection attack

Yet another SQL injection attack doing the rounds, this time inserting references to www.win496.com/b.js, www.tag58.com/b.js and www.rundll841.com/b.js. The javascript redirects to sslput4.com/cgi-bin/index.cgi?ad. (Obviously, don't visit these sites unless you know what you are doing!)

All the domains run on a distributed botnet and were freshly registered this morning to a no-doubt fake address:

whois -h whois.crsnic.net win496.com ...
Redirecting to DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY.COM

whois -h whois.PublicDomainRegistry.com win496.com ...
Registration Service Provided By: VIVIDS MEDIA GMBH
Contact: +49.3094413291

Domain Name: WIN496.COM

Registrant:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Creation Date: 04-Jun-2008
Expiration Date: 04-Jun-2009

Domain servers in listed order:
ns4.win496.com
ns3.win496.com
ns2.win496.com
ns1.win496.com


Administrative Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Technical Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Billing Contact:
n/a
lera (casta4000@mail.ru)
reklama uslug 727 94-00
Seul
3566,123456
RU
Tel. +7.4952345672

Status:ACTIVE

There are probably several different payloads, one we have seen is the Danmec trojan which drops a file called aspimgr.exe into the SYSTEM32 folder (more details here, here and here). The payload delivery may be randomised, it seems to be quite difficult to determine exactly what is going on.

If your server has been infected, then you need to do more than just clean it up.. you need to sanitize your SQL inputs. You can read more details of how SQL injections works here.

Right now it is difficult to say how many sites are impacted as the domains are really very new.

Added: you can add sysid72.com/b.js to this list too. That was registered 5 days ago, and a Google search already shows over 2000 hits. Also locale48.com has infected over 4000 pages in the same time frame.

Some people are stupid

A classic post over at the F-Secure blog where some muppet "hacker" accidentally emailed out their malware generation tool and put it right into the hands of anti-virus researchers. To quote F-Secure, Hey, thanks. Keep up the good work.

On a more serious note, this tool is used to generate trojanised PDF files. So go and check that your version of Adobe Reader is up to date right now before doing anything else..

en-us18.com, libid53.com and rundll92.com SQL injection attack

Another bunch of at least three domains (perhaps more) being used in SQL injection attacks are en-us18.com, libid53.com and rundll92.com. In each case the injected script points to b.js, and this then tries to redirect visitors to libid53.com/cgi-bin/index.cgi?ad

It looks like some sort of fast flux network based on a botnet, so it's not actually very reliable and as yet it hasn't delivered a payload in our lab. The ISC indicate that the attack serves up a couple of infected Flash banners, although in this case the redirector seems to be en-us18.com/cgi-bin/index.cgi?ad

At the moment, these merely serves up another redirector to MSN.com, but it would be easy enough for the botnet controllers to change it to a malicious payload.

Some notable infected sites:

• tcpmag.com (Technology magazine - again!)
• annefrank.org (Anne Frank Museum)
  
• galatta.com (Indian movies)
• onefootball.dk (Sport)
• tvoneonline.com (US TV station)
• belfastcity.gov.uk (UK local government)
• marketingprinciples.com (Marketing guide)
• hobsonsbay.vic.gov.au (Australia local government)

This is quite a fresh looking exploit, this is not comprehensive. It is very disappointing to see tcpmap.com listed yet again, and we've seen sister publication redmondmag.com infected before too.

xiaobaishan.net - yet another SQL injection attack

It looks like the sites hit by the chliyi.com attack have been hit again, this time with an injection to a script pointing at www.xiaobaishan.net/dt/us/Help.asp. Right at the moment, the www.xiaobaishan.net domain is not resolving, but it does appear to be hosted on 219.146.128.119 in China.

It looks like the domain may well be a legitimate one that has somehow been compromised and 219.146.128.119 looks like a pretty standard shared server.

It's possible that the chliyi.com infected sites were deliberately targeted, the resulting HTML is an awful mess though (see below).

Some notable infected sites:

• kcsg.com (again)
• sciencescotland.org (again)
• paramountcomedy.com (again)
• drdrew.com (again)
• gisp.org (again)
• legis.state.ia.us (Iowa State legislature)
• modernamuseet.se (Stockholm Museum)
• calbears.berkeley.edu (University)
• reportchildsex.com (Child protection)
• cas.org.uk (Citizen's Advice Scotland)
• tcpmap.com (Technlogy magazine)
• randomhouse.com.au (Random House publishers, Australia)
• ispyni.com (Northern Ireland tourism)

There are a number of other sites, notably in Ireland, Australia and Canada hit too.

This is not the only SQL injection attack doing the rounds today, and I suspect that some of them have been hit by another one pointing at en-us18.com/b.js

As an aside, these multiple SQL injections are really messy. A code snippet from sciencescotland.org demonstrates this:

Bizarre USPS scam

It's hard to tell what the scammer is trying here due to the amusingly bad English. Mail originates from the spammers favourite email service, Gmail (72.14.214.225) but uses a French Yahoo! email address as a drop box with a Polish "From" address.

Clearly some sort of parcel scam where there will be a release fee of some description. Steer clear.

Subject: Please Contact Us With This Email Address Below (usps6864@yahoo.fr)
From: "markwillams2 Gazeta.pl"


Hello Dear,


Please i have to let you knowing this that your have reciverd your parcel,
and do not let me knowing about that since last year.



At this very point now, do to i have not heard from you to knowing the
sitution of things now, for your information track your parcel and you will
sean what am talking about please.

However if you knowing that you are not the one please do get back to me as
matter of urgent to day.please track and sean with this information Below

http://www.usps.com/shipping/trackandconfirmfaqs.htm

Label Number: 0515 0134 7110 8886 8806

Please Contact Us With This Email Address Below (usps6864@yahoo.fr)

Thanks
Mark Williams