SQLi Leads to Waves of Mass Compromises

Written by: Jovi Umawing

How do users get this Web threat?

Systems get infected by various binaries once users visit any site injected with a malicious script via MySQL. In this attack, malicious scripts lead users to either http://{BLOCKED}.robint.us/u.js or http://{BLOCKED}77.in/yahoo.js, which are malicious URLs. The first URL is related to the first wave of SQL injections (SQLi) attacks which hit more than 100,000 websites. Some of these sites include popular news sites, such as The Wall Street Journal and the Jerusalem Post. The second URL is related to the second wave of SQLi attacks which targeted a notably smaller number of sites—around 1,000—which are less prolific.

What happens once the threat gets inside computers/networks?

Though there are two SQLi waves involved in this mass compromise attack, the payload is the same on both instances.

In the first wave, site visitors are led to download a malicious file that Trend Micro detected as TROJ_DLOAD.VAC, a downloader. This Trojan then downloads a file that is detected as TSPY_GAMETHI.QJB. In the second wave, site visitors are led to download and execute the malicious scripts JS_IFRAME.AUW and HTML_SHELLLOAD.B, and then TROJ_SMALL.NSZ. This Trojan then downloads TSPY_LEGMIR.JW.

How are users/networks affected by this threat?

TSPY_GAMETHI.QJB and TSPY_LEGMIR.JW are Trojan spyware notable for stealing online information, such as user name and password, from affected systems. They specifically target online gamers of Aion Online, Dungeon Fighter, and World of Warcraft (WoW). These are massively multiplayer online role-playing games (MMORPG) wherein players from all over the world converge and play simultaneously in a virtual game world.

What is the driving force for this threat?

Cybercriminals are after user online information related to the aforementioned games. From the 2008 Trend Micro white paper entitled "Virtual Worlds", researchers revealed that these cybercriminals are "using them for fraud and other illegal activities, including money laundering" since several MMORPGs allow players to make transactions in the form of virtual money and goods using real-world currency. There are two other forms of economy within simulated game worlds that are currently rampant and they involve the use of other players. A strong clan (also known as "guild") within a game environment can recruit other players for the purpose of letting them accumulate points or acquire special/rare items that can be used either for rewarding other players or trading with other clans.

What is different in this attack?

These waves of SQLi attacks may carry with them an element of deception. Such is the case of the Jerusalem Post where the online news site itself have reported that a group of pro-Palestinian cybercriminals have attempted to hack their site less than two weeks before the mass compromise happened. What users need to take note, however, is that these recent mass compromises target specific sites with certain common attributes: The target sites are hosted on Microsoft IIS servers and use ASP.NET applications.

Are Trend Micro users protected from this threat?

Yes. Solutions supported by the Trend Micro™ Smart Protection Network™ can detect and prevent the execution of the malicious files TROJ_DLOAD.VAC, TSPY_GAMETHI.QJB, JS_IFRAME.AUW, HTML_SHELLLOAD.B, TROJ_SMALL.NSZ, and TSPY_LEGMIR.JW via File Reputation Technology. It also protects users by blocking access to malicious sites via Web reputation as well as phone home attempts where an infected computer tries to upload stolen data or download additional malware from command-and-control servers.

What can users do to prevent this threat from entering computers?

It is best for users to remain wary of the sites they visit. On the other hand, online gamers who are into Aion Online, Dungeon Fighter, and World of Warcraft (WoW) should be vigilant in keeping their gaming accounts secure by using only strong passwords and these are to be changed as needed.

Non-Trend Micro users can also stay protected via HouseCall, a free tool that identifies and removes all kinds of viruses, Trojans, worms, unwanted browser plug-ins, and other malware from affected systems. The Web Protection Add-On, a tool that provides pro-active protection from Web threats like SQLi attack infections, can also be downloaded for free.