Threat Level: green Handler on Duty: Pedro Bueno

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

SQL Injection Worm on the Loose (UPDATED x2)

Published: 2008-05-06
Last Updated: 2008-05-07 14:02:48 UTC
by John Bambenek (Version: 1)
1 comment(s)

A loyal ISC reader, Rob, wrote in to point us at what looks to be a SQL Injection worm that is on the loose.  From a quick google search it shows that there are about 4,000 websites infected and that this worm started at least mid-April if not earlier.  Right now we can't speak intelligently to how they are getting into databases, but what they are doing is putting in some scripts and iframes to take over visitors to the websites.  It looks like the infection of user machines is by Real Player vulnerabilities that seem more or less detected pretty well.

The details, the script source that is injected into webpages is hxxp://winzipices.cn/#.js (where # is 1-5).  This, in turn, points to a cooresponding asp page on the same server.  (i.e. hxxp://winzipices.cn/#.asp).  This in turn points back to the exploits.  Either from the cnzz.com domain or the 51.la domain.  The cnzz.com (hxxp://s141.cnzz.com) domain looks like it could be set up for single flux, but it's the same pool of IP address all the time right now.  hxxp://www.51.la just points to 51la.ajiang.net which has a short TTL, but only one IP is serving it.

Fair warning, if you google this hostnames, you will find exploited sites that will try and reach out and "touch" you... even if you are looking at the "cached" page.  Proceed at your own risk.

UPDATE: We're also see this website serving up some attacks in connection with this SQL Worm (hxxp://bbs.jueduizuan.com)

UPDATE x2: As usual, the good folks at ShadowServer had a good write up on the details of everything after the SQL injection (i.e. what malware gets dropped, IPs involved, etc).

---
John Bambenek / bambenek \at\ gmail /dot/ com

Keywords:
1 comment(s)

Windows XP Service Pack 3 Released

Published: 2008-05-06
Last Updated: 2008-05-06 20:10:06 UTC
by John Bambenek (Version: 1)
0 comment(s)

Microsoft, it appears, has just released Windows XP Service Pack 3.  For the most part, it is a bundle of all the updates since Service Pack 2, but there are some key differences.  First, the big gotcha:

If you are an IE 6 user, SP3 will simply updated your IE 6 installation.  You will continue to be able to upgrade to IE 7 as an option.

If you are an IE 7 user, it will update your IE 7 installation.  HOWEVER, you will NOT be able to go back to IE 6 after applying this service back.

If you are an IE 8 (beta) user, you will need to uninstall IE 8, apply the service pack, and then reinstall IE 8.

This link has a list of all the Knowledge Base articles that this service pack addresses.  Some of the bigger notes is that it does retrofit some of the Vista functionality into XP, namely in the area of Network Access Protection, Black Hole Router Detection, enhanced security for administrator and service policy entries (basically some better default settings) and a kernel mode crypto driver.  Additionally, some of the "optional" updates released since SP2 will be installed with SP3 (MMC 3.0, MXSXML6, WPA2 support, etc).

The good news is that TechNet provides installation media that can be used to slipstream install the service pack so workstations can be updated off the net.

---
John Bambenek / bambenek \at\ gmail /dot/ com

 

0 comment(s)

Industrial Control Systems Vulnerability

Published: 2008-05-06
Last Updated: 2008-05-06 20:05:51 UTC
by Marcus Sachs (Version: 1)
0 comment(s)

While a day does not go by without many public announcements of vulnerabilities in consumer and business software, it is rather rare when we hear about something wrong with software that is used to monitor or control industrial systems.  Commonly called SCADA (Supervisory Control And Data Acquisition) or PCS (Process Control System), these are the systems that monitor and operate oil and gas refineries, large manufacturing plants, assembly lines, railroads, electrical grids, and countless other industrial processes.

Core Security announced yesterday that there is a Denial of Service vulnerability in the Invensys Wonderware InTouch SuiteLink service running in Windows operating systems, specifically slssvc.exe. According to Core, this vulnerability "could allow an un-authenticated remote attacker with the ability to connect to the SuiteLink service TCP port to shutdown the service abnormally by sending a malformed packet. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario."

According to Wonderware's website, "Wonderware is the leading supplier of industrial automation and information software solutions. One third of the world’s plants run Wonderware software solutions. Having sold more than 500,000 software licenses in over 100,000 plants worldwide, Wonderware has customers in virtually every global industry — including Oil & Gas, Food & Beverage, Utilities, Pharmaceuticals, Electronics, Metals, Automotive and more."  It's no wonder that a vulnerability in their monitoring software might be something the bad guys would be very interested in.

DHS (National vulnerability database) rates this one pretty high and says that the vulnerability "Provides unauthorized access, Allows partial confidentiality, integrity, and availability violation, Allows unauthorized disclosure of information, Allows disruption of service."    Our advice:   Patch now.

Marcus H. Sachs
Director, SANS Internet Storm Center

0 comment(s)
Diary Archives