|
Posted by Monty Solomon on April 22, 2008, 12:28 am
If you were Registered and logged in, you could reply and use other advanced thread options
The 10.000 web sites infection mystery solved
Published: 2008-04-16,
Last Updated: 2008-04-16 19:14:00 UTC
by Bojan Zdrnja (Version: 3)
Back in January there were multiple reports about a large number of
web sites being compromised and serving malware. Fellow handler Mari
wrote the initial diary at
http://isc.sans.org/diary.html?storyid=3834 .
Later we did several diaries where we analyzed the attacks, such as
the one I wrote at http://isc.sans.org/diary.html?storyid=3823 . Most
of the reports about these attacks we received pointed to
exploitation of SQL Injection vulnerabilities.
Yesterday, one of our old friends, Dr. Neal Krawetz, pointed us to
another site hosting malicious JavaScript files with various
exploits. While those exploits where more or less standard, we
managed to uncover a rare gem between them - the actual executable
that is used by the bad guys in order to compromise web sites.
While we had a general idea about what they do during these attacks,
and we knew that they were automated, we did not know exactly how the
attacks worked, or what tools the attackers used. The strategy was
relatively simple: they used search engines in order to find
potentially vulnerable applications and then tried to exploit them.
The exploit just consisted of an SQL statement that tried to inject a
script tag into every HTML page on the web site.
The utility we recovered does the same thing. The interface appears
to be is in Chinese so it is a bit difficult to navigate around the
utility, but we did some initial analysis of the code (which is very
big) to confirm what it does.
...
http://isc.sans.org/diary.html?storyid=4294
| 
NewsGroups 
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
XML site map