Looking at some SQL-injection attacks

By using the techniques described in mkrakvik‘s post, I’ve been looking at the results of quite a few of the different SQL-injection (and XSS attacks) successfully performed against norwegian and danish servers.

The attacks have several common properties:

• injects a javascript to the attacked page
• the script is obfuscated
• the scripts loads several iframes and other scripts
• the end exploits are ActiveX, .swf or .pdf attacks

The javascripts

The javascripts are usually pointing to a russian or chinese server. They are obfuscated in different ways. Some simply use url-encoding of the actual script combined with unescape() and eval(), while others use complex encryption functions including long encrypted strings that are decrypted by shifting parts of the string and combining parts in different ways.

The first script usually loads several different other scripts from servers, often contacted by IP. Many of these servers are probably zombies, and a lot of the servers were no longer serving any scripts (the zombies may have been cleaned out). The attackers were using scripts from several different servers, in case one of their zombies go down. So it’s basically a “hacker cluster” for availability.

End exploits

The end scripts usually contain several different attacks. I’ve seen scripts trying to exploit up to ten different activeX-components, and many of the scripts use both activeX and flash (.swf) attacks.

One of the attacks (gcounter.cn) had two activeX attacks downloading two .exe files, two flash files and one pdf. The first .exe files was detected by 22/36 vendors at virustotal.com. The other four files had a lot lower ratios. One of the flash movies was not detected at all. This attack was also analyzed by Morten Kråkvik, and he created this interesting picture. His full post is available in norwegian here: Malware og drive-by exploits

Another attack (found on among others yahoo-union.cn and www.jmlrmg.com) had six different flash movies for IE and six for firefox, yielding a total of 12 flash movies for different versions of flash. They were on average detected by 3/36 of the antivirus vendors on virustotal. I reuploaded one of the flash files three weeks after the initial upload, and it’s now detected by 13/36 vendors: virustotal analysis

Protecting your browser and your web site users

1. Keep your web sites free of SQL-injection and XSS exploits – OWASP has some good resources for SQL-injection and XSS mitigation
2. Focus on security during the entire development projects – not just at the end or the beginning
3. Allow your developers to take security trainings. Security can only be achieved through collaborative effort – it’s not the responsibility of a single person
4. Keep up to date on all web browser, web browser plugin and OS patches.
5. Keep your antivirus up to date (some of the exploits I found were “old” and detected by most of the vendors)
6. Don’t visit links you get in emails, social networks or on IM without verifying that they are actually from the person they claim to be.
7. Consider using the noscript-plugin if you are an advanced firefox user