Sponsored by..

Thursday 3 July 2008

Asprox domains: 3/7/08 and ngg.js

The Asprox domains used in the current round of SQL Injection attacks have shifted again, the ones to check for or block are:

  • adwadb.mobi
  • allocbn.mobi
  • canclvr.com
  • catdbw.mobi
  • ktrcom.com
  • lokriet.com
  • mainbvd.com
  • portwbr.com
  • stiwdd.com
  • testwvr.com
  • upcomd.com
  • ucomddv.com
The malicious javascript file has also changed to ngg.js (usually it is b.js or m.js or similar). If you're using Google Alerts or similar to monitor your own site or sites of interest, you might want to change the search string to something like "script src=http:" .js site:oceanic-air.com (replace the domain name with the site you want to monitor).

Wednesday 2 July 2008

Asprox domains: 2/7/08

These seem to be the currently active domains used in the Asprox SQL Injection attack. Registrar of choice at the moment is Vivids Media GMBH (if they really exist) via Directi Internet Solutions (publicdomainregistry.com).

  • adupd.mobi
  • adwste.mobi
  • bnrupdate.mobi
  • cntrl62.com
  • config73.com
  • cont67.com
  • csl24.com
  • debug73.com
  • default37.com
  • get49.net
  • pid72.com
  • pid76.net
  • web923.com

Best advice to to block access to these sites and check your logs.

Monday 30 June 2008

"Royal Alliance Financial Investment" scam

A slightly strange scam from some outfit pretending to be "Royal Alliance Financial Investment" offering a low-cost loan. The initial email does not ask for much in the way of personal data, presumably that comes as the next step.

There is no such company as "Royal Alliance Financial Investment" in the UK. Originating IP is which is allocated to Swift Global Kenya Limited in Nairobi. Finance companies do not generally use free email accounts to solicit business, and the address is clearly wrong. Avoid.

From: "Royal Alliance Financial Investment"
Date: Mon, June 30, 2008 3:43 pm

Royal Alliance Financial Investment
(Financial Aid Professionals)
Contant Address:85 Fleet Street.
London EC4Y 1AE.
Manchester United Kingdom.

Are you searching for a Genuine loan? at an affordable interest rate ?
processed within 4 to 6 working days. Have you been turned down constantly
by your Banks and other financial institutions? The goodnews is here !!!

Welcome to Royal Alliance Financial Investment,interest rate at 3%.It
gladdens our
hearts to bring to your notice that we offer all kinds of loan to any
part of the world.Being a licensed and registered company under the
finance ministry here in the United Kingdom we make available to customers
legitimate loan offers that are quick and affordable with interest rate at
a mere 3%.

Our Packages include:*Home Loan *Auto Loan*Mortgage Loan*Business
Loan*International Loan*Personal Loan*And Much More.

Please if you are delighted and interested in our financial offer,Do not
hesitate to contact us if in need of our service as you will be required
to furnish us with the following details to commence with the process of
your loan sum accordingly


First Name:___________________________
Last Name:____________________________
Marital status:_______________________
Contact Address:______________________
City/Zip code:________________________
Date of Birth:________________________
Amount Needed as Loan:________________
Loan Duration:________________________
Monthly Income/Yearly Income:_________
Business name:________________________
Purpose for Loan:_____________________

Thanks For Your Patronage!

'Your Business Is Our Blessing'

Mr,Jerry Mccarthy,
London Operations Manager,
Contant Address:85 Fleet Street.
London EC4Y 1AE.
Manchester United Kingdom.

Asprox: new domains including .mobi

Another set of domains used in the Asprox SQL Injection attack: bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adwsupp.com,supbnr.com, suppadw.com, dl251.com, aspx49.com, kadport.com, tid62.com, and batch29.com.

It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.

Thursday 26 June 2008

Asprox: list of domains and mitigation steps

The folks over at Bloombit Software have a useful article called ASCII Encoded/Binary String Automated SQL Injection Attack which explains some of the technical details behind these attacks and also has another list of domains serving up malware which is useful to keep an eye on.

Asprox: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com

Another bunch of domains coming up in the latest batch of Asprox SQL Injection attacks: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com - check your logs for these.

Wednesday 25 June 2008

Microsoft Security Advisory (954462) - Rise in SQL Injection Attacks Exploiting Unverified User Data Input

A timely advisory from Microsoft on SQL Injection attacks plus some tools to help secure your setup are available on KB954462 with more information here and ISC's commentary here.

Of particular interest is the free Scrawlr tool available from HP. That could be a useful way to see if your server is vulnerable before the bad guys find it,

Monday 23 June 2008


Former Moto fans such as myself have waited ages for a truly decent handset to come out from Motorola.

The Motorola ZINE ZN5 certainly has an impressive looking camera.. but the problem is that the rest of the phone is pretty unimpressive.

Motorola's woes have been well documented, but this certainly does look like Motorola's last chance. And it looks like the ZN5 is not really up to the task..

ISC: SQL Injection mitigation in ASP

If you're trying to secure your SQL server against the latest round of injection attacks, then check out this item from the Internet Storm Center, which gives some pointers on how to secure you database with ASP.

It probably makes much more sense to an SQL development than to me.. but the important point is that just cleaning up the injection attack is not enough - you also need to prevent it from happening again by securing your SQL server. And I'm afraid that probably involves spending some time and money..

SQL Injection: bnradw.com

Another SQL Injection domain to block or watch out for in your logs - bnradw.com.

Other than that, the bad guys seem to have been quiet for a couple of days, however it does look like they've managed to exploit 3 million or so pages (according to Yahoo!) so it could just be that they are very busy.

Friday 20 June 2008

List of SQL Injection domains

My postings here about SQL injected domains are a bit ad-hoc, but Shadowserver also have a pretty up-to-date list if you're looking at blocking them.

Quite a lot of these domains are .cn (China). You might want to consider completely blocking access to .cn, but if you only have basic filtering then you might find yourself blocking things like www.cnn.com too (that took some diagnosing followed by a "d'oh!).

SQL injection: pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com, chinabnr.com

More SQL Injection domains, this time pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com and chinabnr.com. Probably a good idea to check your logs and/or block access to these sites.

No change in the method of attack, and the cleanup of SQL servers is proceeding pretty slowly. It's clear that some sites are not going to be fixed any time soon, so if you see a site that hasn't been secured then perhaps a complaint to their web host might help.

Thursday 19 June 2008

msmvps.com, msinfluentials.com and Spyware Sucks offline

I'm a regular reader of Spyware Sucks and was surprised to see that it had been offline for a few days. It turns out that the server that runs the msmvps.com blogging service (used by main Microsoft specialists) got infected with this nasty.

The Google cache of the SBS Diva Blog throws up this information:

In getting ready for the upgrade to CS 2008 I was trying to make some special backups... that wouldn't work. Well in digging into the matter more, that' service that is missing some files which is causing the peer to peer backups between Brianna and Yoda to fail.. isn't a real service at all.


We have backups so first thing tomorrow morning I'll be calling PSS Security to, more than anything else find out the "how" this happened.

Bottom line we got a critter on the box and I didn't (intentially anyway) put it there.

And to check to see if Yoda should be quarantened (aka web server turned off) to protect web visitors as well. So if the blog goes off the air a bit we're just doing it to better protect viewers.


In looking at the log files and event logs of Yoda, I'm not liking what I'm seeing... so the blog site at www.msmvps.com and www.msinfluentials.com will be offline starting at 7p.m. Pacific possibly until Friday.

Apologies for the inconvenience to all the bloggers on the site and we'll get back online as soon as we can.

Microsoft recommends that any systems found to be compromised or suspected of being compromised be formatted and re-installed from a known good build (i.e. operating system CD + all security patches while disconnected from the network). CERT has a good web site that provides information on recovering from security incidents located at: http://www.cert.org/nav/recovering.html
Oh well.. it can happen to anyone.

Wednesday 18 June 2008

HTM Hell

One feature of these recent SQL Injection attacks is that the same sites will get repeatedly hit. So an infected site might have any number of malware-laded domains injected into the code. Click the image below to see a snippet from a really badly infected site.

The interesting thing about these attacks is that they are not very reliable. It's perfectly possible to visit an infected site and have the javascript fail to load because that particular node of the fast flux botnet is offline - but where there are several calls to several different domains, then the likelihood of infection is much greater. The upside is that any sharp-eyed user should notice something odd with these badly infected pages.


The latest domain in the SQL Injection attacks is chkadw.com (i.e. pointing to www.chkadw.com/b.js). Domain is registered to a (probably fake) Chinese contact through a Chinese registrar. Delivery mechanism and payload seem to be identical to the latest attacks.

Tuesday 17 June 2008

Yet more SQL injection domains

Keep an eye out for datajto.com, dbdomaine.com, upgradead.com, clsiduser.com, clickbnr.com, bnrcntrl.com, domaincld.com, jetdbs.com, updatead.com, all pointing to b.js (e.g. www.dbdomaine.com/b.js) - all forming part of the latest SQL injection attack.

Registrar is VIVIDS MEDIA GMBH - let's see if they clean up their act.

If you're in tech support, check your outbound logs for connections to these domains. If you're an end user then I'd recommend Firefox with Noscript as a good way to protects youself.

Friday 13 June 2008

One to watch: js.users.51.la

What the heck is js.users.51.la? In fact, where the heck is .la anyway? And why am I asking?

As I've mentioned before, there are possibly two gangs carrying out the current round of SQL Injection attacks, one possibly based in China and one based in Russia. Their techniques are very similar, but the seem to have distinct differences.

js.users.51.la appears in many of the "Chinese" exploits - 51.la itself appears to be a legitimate web counter site. Presumably part of the bad guys' statistical tracking system the js.users.51.la domain is combined with what appears to be a randomly named .js file.

This doesn't appear to be a malware site in itself, but it could be a useful thing to look for in your proxy logs as it may well help track down machines that have visited infected sites. Either search for js.users.51.la or perhaps just 51.la as part of your normal audit process.

Where is .la? Officially it is Laos, but the TLD is also being punted as "Los Angeles" by www.la. No clue there, but the fact that all the signups for 51.la are in Chinese really does indicate that there's a Chinese connection here.

advabnr.com and adsitelo.com

SQL injection time again, this time with two new domains advabnr.com and adsitelo.com both loading a script called b.js (i.e. advabnr.com/b.js and adsitelo.com/b.js)

This is turning up on sites that have already been infected with other SQL injection attacks. The good news is that the new attacks seem to be smaller, indicating that people really are managing to secure their web servers.

Some notable infected sites (many of these have been cleaned up).

  • bioimmune.com - BioImmune Inc (Health)
  • immuquest.com - Health
  • eyemdlink.com - Health
  • tandberg.com - Tandberg (Electronics)
  • techsol.com - Technology Solutions Company (ERP services)
  • pollingcompany.com - The Polling Company (Market Research)
  • spjc.edu - St Petersburg College
  • judge.com - The Judge Group (jobs)

  • ibs.com - IBS, Inc (IT Services)
  • outsourcingcentral.com - Business information
  • mintek.com - Mintek Mobile Data Solutions
  • engcen.com - Engineering jobs
  • micronet.com - Digital storage
If you're searching for these domains yourself, I recommend using Yahoo! and Google as they give different results. Of course, these sites contain live malware so approach with caution.

Thursday 12 June 2008

bigadnet.com - lastest SQL injection domain

A continuation of the latest wave of SQL Injection attacks is bigadnet.com - many sites infected with "older" attacks have been "upgraded" to bigadnet.net. The inserted code to look for is www.bigadnet.com/b.js which then forwards to bigadnet.com/cgi-bin/index.cgi?ad - this in turn seems to be able to deliver a variety of malware.

bigadnet.com is running on a fast flux botnet, so it's highly distributed and resilient but not very reliable at actually delivering a payload.

Tuesday 10 June 2008

UK Goverment sites hit by SQL Injection attacks

Do you trust the government with your personal data? A look at some recent national and local government sites that have been compromised with SQL injection attacks might make you think again.

  • fco.gov.uk - Foreign and Commonwealth Office
  • dfes.gov.uk - Department for Children, Schools and Families
  • harrow.gov.uk - Harrow Council
  • cwic.cornwall.gov.uk - Cornwall County Council
  • cityoflondon.gov.uk - City of London
  • corpoflondon.gov.uk - City of London
  • nottinghamcity.gov.uk - Nottingham City Council
  • relocateleicester-shire.gov.uk - Leicetershire County Council
  • gos.gov.uk - Government Office Network
  • lda.gov.uk - London Development Agency
  • uktradeinvest.gov.uk - UK Trade & Investment
  • dcalni.gov.uk - Northern Ireland leisure and tourism
  • colchester.gov.uk - Colchester Borough Council
  • countryside.wales.gov.uk - Welsh assembly
  • cefngwlad.cymru.gov.uk - Welsh assembly
  • broadband.cymru.gov.uk - Welsh assembly
  • wmra.gov.uk - West Midlands Regional Assembly
  • wmlga.gov.uk - West Midlands Local Government Association
  • wycombe.gov.uk - Wycombe District Council
  • southshropshire.gov.uk - South Shropshire District Council
  • businesslink.gov.uk - Business Development
  • shetland.gov.uk - Shetland Council
  • unlockingessex.essexcc.gov.uk - Essex County Council
  • southshropshire.gov.uk - South Shropshire District Council
  • e-petitions.kingston.gov.uk - Kingston Borough Council
  • clevelandfire.gov.uk - Cleveland Fire & Rescue
  • surreyheath.gov.uk - Surrey Heath Council
  • rbkc.giv.uk - Royal Borough of Kensington and Chelsea
  • conwy.gov.uk - Conwy County Council
These are some example searches that show the problem (note that the search results will change over time, and the results themselves may lead to malware). Yahoo! examples: 1 2 3 4 5; Google examples: 1 2 3 4

Widen the search to sites containing .gov with a "b.js" exploit in (the most common), and you can see that government sites all over the world have been compromised, with Yahoo! estimating 11,000 infected pages. Think about it.. these should be trusted sites, but clearly they are not safe. Remember: there is no such thing as a trusted site anymore.