Wayne Huang and the research team at Armorize have discovered a mass SQL injection coupled with a drive-by download, which they describe as a "mass meshing injection" attack.
In a phone call this morning, Huang described the attack this way:
--Mass Meshing Injections are unlike Mass SQL injection attacks such as Lizamoon, which are easily detected due to a low number of malicious redirector domains that can be easily detected and then have signatures assigned to them.
--Mass Meshing Injection avoids detection because there are no malicious redirectors in use and every redirector itself is an infected domain, making blacklisting difficult and prone to false alarms
The company released a detailed blog post on the attack this afternoon. Here's an excerpt:
When our HackAlert backend lights up like a Christmas tree we know something's going on. This time we want to report a new type of
mass-scale drive-by download attack that we'll dub "Mass Meshing Injection" to contrast with "Mass SQL Injection." We've been seeing it since mid-January of this year and its usage has been on the rise. We believe it's been developed by CreateCSS group.
Mass SQL Injections have been quite the same ever since our initial report in 2008. Basically, a mass-scale SQL injection is launched,
injecting a large number of websites with a malicious script or iframe that would cause the browser to load from a malicious site, which can be a hop point to another malicious site, until finally, exploit code is loaded from the exploit site, the browser is exploited, and malware is installed without the victim's knowledge.
We'll be using the recent lizamoon incident to compare the differences between Mass SQL Injections and Mass Mashing Injections.
But first we must note here that lizamoon wasn't a typical Mass SQL Injection--it was less infectious than a typical Mass SQL Injection. Two reasons:
A.Instead of injecting iframes or script srcs to have the browser "secretly" load the malicious content, lizamoon's javascript redirected the browser to the final malicious site, and therefore making it easier for visitors to notice the attack.
B.Mass SQL Injections often serve (0day) drive-by downloads, which would automatically install malware without user knowledge. Simply
visiting an infected page would result in installation of malware.
Instead, Lizamoon served Web-based fake anti-virus scripts, meaning that the user would have to be tricked into downloading the malware to disk and executing it. So instead of doing nothing, the victim has to first "Save As" and then "Run."
Although it doesn't completely resemble a typical Mass SQL Injection attack, lizamoon attracted great attention recently, and therefore we decided to use it here for comparison.The post continues:
In Mass SQL Injections, scripts or iframes are injected into innocent victim sites, that cause the browser to load malicious content from the "redirectors," which are domains registered by the attacker.
In lizamoon's case, there were only a dozen or more redirector domains, most of which were registered by the same person ("James Northone" jamesnorthone@hotmailbox.com) and hosted on the same network.
These redirectors then redirected the browser to a single location, defender-uqko.in, which served the actual attacking javascript that tried to trick the user into downloading and executing the malware.
This linking strategy, adopted by typical Mass SQL Injection attacks, is easy to detect. Security vendors can signature the dozen-or-so redirector domains. The key here is that the redirector domains all belong to the attacker, and the number is small.
So security vendors can simple blacklist these domains forever and not worry about false alarms when these redirector domains "become
clean again"--because they won't.
To defeat this, Mass Meshing Injection does the following:
A. Every infected website contains a redirector script in the root directory; in this case it is sidename.js. This is an obfuscated script that will dynamically generate an iframe to the exploit server, in this case, frankieeus.ru, gaufridboris.ru, stephanos.ru, all hosted on the same IP 89.208.149.214. It runs the BlackHole exploit and serves drive-by downloads.
B. Every infected website is injected, in their pages, with a script src tag pointing to another random infected website's sidename.js.
And so the end result is, side the infected webpages, there is no more statically injected "malicious redirectors" that security vendors can detect. Every redirector is itself an infected domain, which means blacklisting becomes more difficult and prune to false alerts.
Fortunately for this time, the name of the redirector file is still fixed--sidename.js--which can be signatured. If in the future this further changes to a dynamically generated name, detection will be made even more difficult.The Armorize blog post lists some 700 infected URLS they discovered during the investigation. Huang singled out the following as some of the most important details:
Using the 700 URL samples and Google blacklisting as an example, 70 percent of the infected sites were not flagged, 20 percent were flagged due to Mass Meshing Injection (sidename.js), and another 10 percent was either already flagged a long time ago, or was flagged recently due to other compromises.
Finally, as for the actual number of infections of this particular incident, we do not know yet. We just kicked off our scanner to scan Alexa's top one million sites and are expecting results in a day or two. Based on this sampling and the number of sites on the Internet (205M according to NetCraft, we can estimate on the number of infections.
From results so far, it looks like it will be above 20,000 and under 30,000 websites. Note that this is a solid list with the exact proof of the infection, and that the number is of individual websites (domains) and not individual pages.See the full Armorize blog post HERE.
--Bill Brenner