 SQL Injection Attacks and Exploitation of Adobe Flash Player Vulnerabilities
It has been observed that new wave of SQL injection attacks are exploiting Adobe flash.Some of the malicious domains used in these attacks are hosted on fast-flux DNS.
Online gamers seem to be primary target of the attack but payload could be dynamically changed by attackers.
Using
SQL injection attack websites have been compromised and injected with
malicious scripts. These script redirects user to malicious URL
containing ShockWave (SWF) files that are exploiting Adobe Flash Player
Vulnerabilities. Successful exploitation downloads Trojans on the
vulnerable system.
Infected website checks the victim's browser type in order to drop appropriate exploit.
Recent script injected to the websites through SQL injection is “ hxxp://en-us18 DOT com/b DOT js”
ShockWave files with following names are found on the websites:
- ie1.swf
- ie2.swf
- 1231.swf
- 1232.swf
- 4561.swf
- 4562.swf
- i1232.swf
- i1231.swf
- flash1.swf
- flash2.swf
- WIN 9,0,115,0i.swf
- WIN 9,0,115,0f.swf
- WIN %209,0,115,0ie.swf
- WIN %209,0,115,0ff.swf
Websites reported to be exploiting the Adobe flash Player vulnerability are listed below:
hxxp://www DOT play0nlnie DOT com/pcd/topics/ff11us/20080311cPxl31/ WIN %209,0,115,0ie.swf
hxxp://www DOT play0nlnie DOT com/ax DOT exe
hxxp://www DOT tongji123 DOT org/i1231 DOT swf
hxxp://www DOT tongji13 DOT org/soc DOT exe
hxxp://www DOT woai117 DOT cn/ WIN 9,0,115,0i DOT swf
hxxp://www DOT woai117 DOT cn/117 DOT exe
hxxp://user1 DOT 12-27 DOT net/flash1 DOT swf
hxxp://513389 DOT cn/bak DOT css
www DOT iphone001 DOT com/ie/ WIN 9,0,115,0i DOT swf
hxxp://qisihuisheng DOT net/swf/sw DOT exe
hxxp://ageofconans DOT net/ WIN 9,0,115,0i DOT swf
hxxp://ageofconans DOT net/flash DOT exe
hxxp://www DOT guccime DOT net/i1231 DOt swf
hxxp://www DOT guccime DOT net/0 DOT exe
hxxp://user1 DOT isee080 DOT net/flash1 DOT swf
hxxp://user1 DOT 12-26 DOT net/bak DOT css
hxxp://www DOT zuoyouweinan DOT com/exe DOT swf
hxxp://bb DOT wudiliuliang DOT com/1 DOT exe
hxxp://www DOT psp1111 DOt cn/test DOt exe
hxxp://www DOT psp1111 DOT cn/test DOT exe
hxxp://www DOT lkjrc DOt cn/i1232 DOT swf
hxxp://www DOT hokia8 DOT com DOT cn/abe DOT exe
In
view of massive scale of the attack and high damage potential of the
malware, website administrators and users are advised to implement the
following countermeasures
Website administrators:
- Enable request validation by setting validateRequest=Truefalse in the Page directive or in the configuration section.
- Input Filtering: Properly sanitize user input data.
- Comment out malicious code: any scripting content to be “safely” commented out.
- Avoid
cross-site scripting appending in URLs by using some special character
like #,etc http://www.vulnerable.site/welcome.html#name=<script>
- alert(document.cookie)<script>
- Output Filtering: Filter user data when it is sent back to the user's browser.
- Disable client side scripting.
- Use
Signed Scripting: Implement “signed scripting” such that any script
with an invalid or un-trusted signature would not run automatically
System Administrators and Users:
- Apply the patches/updates to address vulnerabilities in Adobe Flash Player
- Block access to above mentioned domains.
- Disable Javascript and ActiveX scripting in the browser settings. Use NoScript extension with Firefox browser.
- Keep up-to-date on patches and fixes on the OS and application software.
- Install and maintain updated anti-virus software at gateway and desktop level
- Exercise caution even while visiting trusted websites
References:
http://isc.incidents.org/diary.html?storyid=4519
http://isc.incidents.org/diary.html?storyid=4474
http://www.shadowserver.org/wiki/pmwiki.php?
n=Calendar.20080527
http://www.theregister.co.uk/2008/05/27/new_adobe
_flash_vuln/print.html
http://www.darkreading.com/document.asp?doc_id=155020
&WT.svl=news1_2
|
