ViRobot

Security Info

  • Security Center
    • HAURI Security Report
  • Security Dictionary
  • Security Service
  • Free Download!!

HAURI Security Column

Security Column

  Title File Date  
A malicious code that exploited SQL Injection. -- 07/18/11

Written by HAURI Virus Lab.

Globally, the malicious code distribution issue by SQL Injection happens a lot. The fact that web server is attacked by a simple tool shows the security of server is very vulnerable. Especially, hackers can easily achieve administrator authority of vulnerable sites by utilizing SQL Injection tool.


[PIC 1] SQL Injection tool

Recently we received a report that SQL Injection used malicious code is distributed a lot, so we'd like to analyze the issue. According to following image, you can see the 4 scripts are inserted. All scripts are the inserted malicious scripts by SQL Injection.
(note: Analyzed cssminibar.js and sidename.js files only)


[PIC 2] Insert malicious script

cssminibar.js and sidename.js files are encrypted by java script, and once the script is executed, it connects to other hacked site and executes showthread.php file. (sidename.js file has different URL address but acts same performance.)


[PIC 3] Some part of cssminibar.js source code

showthread.php executes forumthrea.php from other server.


[PIC 4] Some part of showthread.php source code

forumthrea.php is encrypted and executes vulnerable malicious PDF file which is downloaded without user agreement.


[PIC 5] Some part of forumthrea.php source code

The executed malicious PDF file includes vulnerable scripts, and downloads/executes certain PE formatted EXE files by using ShellCode.


[PIC 6] Some part of malicious PDF source code

EXE creates other PE formatted EXE files and tries to acceess to certain server continuously.

174.xx.xxx.156:443
174.xx.xxx.208:443
174.xx.xxx.209:443
jpegxxxx.com:443
12xxxx.net:443
95xxxx.org:443
03xxx.in:443
2sxxx.ru:443
0fxxxx.com:443
16xxxx.in:443

Dropped PE formatted EXE files create driver file and send spam.


[PIC 7] Send spam

According to the analysis so far, this kind of malicious code infects multiple websites like cobwebs by SQL Injection.

For protection the web server from the SQL Injection issue, developer must consider secured coding and database management, and personal users also can protect their machines by adjusting security patches, so we always have to concern about security and maintain the latest vaccine engine version by regular update.



[ViRobot Detection Names]

HTML.S.Exploit.46154
HTML.S.Exploit.91648
JS.S.Exploit.2801
JS.S.Exploit.2809
JS.S.Exploit.2820
JS.S.Exploit.2859
PDF.S.Exploit.43455
PDF.S.Exploit.43464
Trojan.Win32.S.RT-Agent.30560.DS
Trojan.Win32.S.RT-Agent.30560.DT
Trojan.Win32.S.VB.278528.A
Trojan.Win32.S.VB.52224.G

List
Copyright 2008 @ HAURI Inc. All rights reserved. SiteMap