[Infection Chain]
Step 1: http://www.mysql.com
Causes the visiting browser to load the following:
Step 2: http://mysql.com/common/js/s_code_remote.js?ver=20091011
This is the injection point. The entire content of the above .js file can be found here.
The injected section is shown in the above screenshot. The decoded version is as follows:
Step 3: http://falosfax.in/info/in.cgi?5&ab_iframe=1&ab_badtraffic=1&antibot_hash=1255098964&ur=1&HTTP_REFERER=http://mysql.com/
Throws out a 302 redirect to Step 4.
Step 4: http://truruhfhqnviaosdpruejeslsuy.cx.cc/main.php
This domain hosts the BlackHole exploit pack. It exploits the visitor's browsing platform (the browser, the browser plugins like Adobe Flash, Adobe PDF, etc, Java, ...), and upon successful exploitation, permanently installs a piece of malware into the visitor's machine, without the visitor's knowledge. The visitor doesn't need to click or agree to anything; simply visiting mysql.com with a vulnerable browsing platform will result in an infection.
Currently, 4 out of 44 vendors on VirusTotal can detect this piece of malware.
[The Attacker]
We don't know much at this point. The following are information regarding the associated malicious domains.
falosfax.in (Step 3)
Address: 212.95.63.201
Location: Germany / Berlin
Created On:20-Jun-2011 13:17:05 UTC
Sponsoring Registrar:Transecute Solutions Pvt. Ltd. (R120-AFIN)
Registrant Name:CHRISTOPHER J KLEIN
Registrant Street1:7880 SW 132 STREET
Registrant City:MIAMI
Registrant State/Province:Florida
Registrant Postal Code:33156
Registrant Country:US
Registrant Phone:+1.3053771635
Registrant Email:cjklein54@yahoo.com
Admin ID:TS_14483505
Admin Name:CHRISTOPHER J KLEIN
Admin Organization:N/A
Admin Street1:7880 SW 132 STREET
Admin Street2:
Admin Street3:
Admin City:MIAMI
Admin State/Province:Florida
Admin Postal Code:33156
Admin Country:US
Admin Phone:+1.3053771635
Admin Phone Ext.:
Admin FAX:
Admin FAX Ext.:
Admin Email:cjklein54@yahoo.com
Tech Email:cjklein54@yahoo.com
Name Server:NS1.SKYNS1.NET
Name Server:NS2.SKYNS1.NET
truruhfhqnviaosdpruejeslsuy.cx.cc (Step 4)
Address: 46.16.233.108
Location: Sweden / Stockholm
The mysql.com website is as of now, still serving this exploit and malware.
We're in the process of contacting mysql.com. If anyone have contacts to them, please drop us an email at wayne@armorize.com
PS: Armorize is hiring presales in the bay area: http://www.linkedin.com/jobs/post?displayJobStatus=&jobId=1910971&split_page=1
Share this: | 
|
Posts
50 comments:
so what if someone went to mysql.com, how would he get rid of it?
Does it infect every system or only Windows?
mysql.com acted very fast. malcode in the .js is already deleted
Yes!
Just windows.
Sorry @90bbab3da568b956a3861e7a1ca45e6c , we haven't had time to analyze this part yet
So what file(s) should I look for to see if I might be infected?
http://dev.mysql.com/doc/ was infecting also?
Is the file monitor tool you used in the MySQL.com video available somewhere to purchase?
Hey Wayne,
Just wondering how did the .exe run all by itself when you visited the site? I mean it would require some sort of admin approval before it executes say on Windows 7 machines.
-Ganesh
Are you aware if this is limited to certain versions of windows and is it x86/x64 specific?
The exe is run by exploiting the browser with javascript / flash actionscript / PDF jscript / java exploit / etc. Many exploits have the ability to turn DEP off so they'd still work on Win7.
No, it's a little tool I wrote myself for demo purposes. Not good enough to be released, and also it relies on some of the features of our scanning VM. You can use tools from sysinternals--free and more powerful.
Look for and delete files starting with "xth" under: C:\Documents and Settings\your_user_name\Local Settings\Temp (replace "your_user_name" with your login user name in Windows)
The blackhole exploit pack supports a wide variety of exploits, so the actual exploit you get served, depends on the platform you use for browsing
We have to check but yes should be, because it causes the browser to load the same infected file: http://dev.mysql.com/common/js/s_code_remote.js?ver=20091011
Thank you.
Was this exploit specific to any particular browser?
If I started using Firefox inside a Sandboxie Sandbox, would I be protected? I.e., is that a good general practice?
Do you mean FileMon?
FileMon is discontinued, I think Process Explorer
IT journalist Brain Krebs is proud that he had 5 days advanced knowledge of this very attack by the russians and he did not notify either FBI or the victim. Please assist Uncle Sam in bringing Mr. Krebs to military justice for treason and being an accomplice of foreign enemies in times of war. Please make sure he gets to rot in SuperMax for the rest of his life! I am appaled by the cavalier approach USA takes versus organized cybercrime that is actually run by the russian-ruffian and chinese states.
How will USA fulfill its duty to protect my hungarian country within the mutual defence framework of the NATO when USA is crippled by red cyber-attacks? The fact that US citizens fail to report foreign schemes to attack US companies to the FBI speaks volumes of the moral decline of USA. Over 150 years ago President Jackson said USA was built upon universal respect on three institutions: the flag, motherhood and capital punishment. The third leg is very weak nowadays, else scum like Mr. Krebs would not dare to make profits by watching ruffian-russian organized e-criminals attack US entities.
Some do that, but some not. If you have info on CVE database, you can see vulnerability's targets.
I have Windows 7, all updates, IE9, newest Java Version 7 (newest Flash), newest Norton 360 and so on..
Am I protected?
Thanks.
Wow what a nutjob you are.
Malware, only one AV detected it.
Likely, if you also keep these up-to-date: a) Adobe Flash b) Adobe PDF c) Java d) real player (if you have one)
That's generally a good practice as long as you do not access any private data or conduct transactions inside that sandbox. Basically that sandbox would be for browsing only. To access gmail facebook etc use another sandbox that you don't use for browser arbitrary websites.
The blackhole exploit pack serves different exploits depending on the browsing platform. In the video I used XP + IE 6 + Java, and therefore I was served with a corresponding exploit that would work against this particular combination. If I use a different combination I can be served with a different set of exploits.
Yes, process explorer is very useful. But for a demo it's too complicated and that's why I wrote the little tool.
Hi @Iwwaty Jtsysa what do you mean?
hello wayne, in the video, the blackhole kit exploit a particular vulnerability in java or just use java to execute a exe file like the classical case but without the pop-up of authorization?
Thanks, and sorry for my bad english
Would a visitor to the malicious site still be infected if his computer was fully up to date with all patches for Windows 7, IE9, flash, java, adobe reader etc?
thanks
I'll be happy to analyse the malware if you upload it somewhere.
Nothing new, Java exploit is known for a while. The guys at Mysql shoul really check their security holes more often
Would NoScript or other Firefox plugin prevent the infection?
Can we have a copy :)
What is the latest? Has mysql.com regained control?
Does this work when downloading with wget for windows?, because in this case java and web browser have nothing to do here but wget does html consuts...
Que es Esto?
I visited that site, but I was taking computer infection precautions at the time - I was standing on a rubber mat inside a cardboard box and was wearing a cap made of aluminium foil on my head. Will that have been sufficient to protect my computer?
FileMon is now Process Monitor. Very, very powerful tool.
Hi Max! I like Your "ANTYVIRUS way of life" :) I would do the same - mean the box and the rubber mat are OK - but I`m not sure of the aluminium cap.. Aren`t you afraid that the "mysql.com" electrons (or even protons - who knows?) might jump through the aluminium directly into one`s brain?!? Or even maybe already have and stay there for EVER..!! making ones a "mysql.com" ZOMBI slave or something like? No!! I will not use the alumimnium cap - I will use a PLASTIC one! Ha... and for any case will not visit that place:)
PS Wayne - good job! Max - good joke:)
I say start prosecuting the EVIL people who do this kind of thing, find them, first offense 3 years maybe, IF they are proven guilty, but second offense life in prison without any hope of ever seeing a computer again.
They are not showing their intellect to be superior to others, though some do it for money, they are Hurting innocent people a LOT of innocent people, many poor people who can not afford new computers or to lose their bank accounts due to keyloggers etc. FIND THEM Prosecute them.
I found your site about 2 weeks ago when I was struggling to get rid of a virus. I have a learned a lot! (though some of it is over my head) I got a lot of great help here, and at this website: http://myvirusremoval.com/
Hi Wayne,
Process explorer is cool but your file monitor tool is very easy to use and follow. Are you going to share this.. For us (IT), we need that type of tool which does not complicate things..
Life in prison??? What's the matter with you?
my sql projects and my sql online live interactive training athttp://bit.ly/wXKHod
Yes definitely JJ...
[url=http://huntwood.com/kitchen-cabinets/?p=283]Kitchen Cabinet Doors[/url]
Post a Comment