|A malicious code that exploited SQL Injection.||--||07/18/11|
Written by HAURI Virus Lab.
Globally, the malicious code distribution issue by SQL Injection happens a lot. The fact that web server is attacked by a simple tool shows the security of server is very vulnerable. Especially, hackers can easily achieve administrator authority of vulnerable sites by utilizing SQL Injection tool.
[PIC 1] SQL Injection tool
Recently we received a report that SQL Injection used malicious code is distributed a lot, so we'd like to analyze the issue. According to following image, you can see the 4 scripts are inserted. All scripts are the inserted malicious scripts by SQL Injection.
(note: Analyzed cssminibar.js and sidename.js files only)
[PIC 2] Insert malicious script
cssminibar.js and sidename.js files are encrypted by java script, and once the script is executed, it connects to other hacked site and executes showthread.php file. (sidename.js file has different URL address but acts same performance.)
[PIC 3] Some part of cssminibar.js source code
showthread.php executes forumthrea.php from other server.
[PIC 4] Some part of showthread.php source code
forumthrea.php is encrypted and executes vulnerable malicious PDF file which is downloaded without user agreement.
[PIC 5] Some part of forumthrea.php source code
The executed malicious PDF file includes vulnerable scripts, and downloads/executes certain PE formatted EXE files by using ShellCode.
[PIC 6] Some part of malicious PDF source code
EXE creates other PE formatted EXE files and tries to acceess to certain server continuously.
Dropped PE formatted EXE files create driver file and send spam.
[PIC 7] Send spam
According to the analysis so far, this kind of malicious code infects multiple websites like cobwebs by SQL Injection.
For protection the web server from the SQL Injection issue, developer must consider secured coding and database management, and personal users also can protect their machines by adjusting security patches, so we always have to concern about security and maintain the latest vaccine engine version by regular update.
[ViRobot Detection Names]