Dissecting the Massive SQL Injection Attack Serving Scareware

Thursday, March 31, 2011

Dissecting the Massive SQL Injection Attack Serving Scareware

A currently ongoing massive SQL injection attack has affected hundreds of thousands of web pages across the Web, to ultimately monetize the campaign through a scareware affiliate program. Such massive SQL injection attempts are usually conducted using mass vulnerability scanning tools, with the help of search engines which have already crawled the vulnerable sites.

What's particularly interesting about this campaign, is the fact that the used domains are all responding to the same IPs, including the portfolios of scareware domains, which the cybercriminals naturally rotate on a periodic basis. Let's dissect the campaign, expose the domain portfolios and the entire campaign structure.

UPDATED: Related SQL injected URLs courtsesy of WebSense:
online-stats201.info/ur.php - Email: [email protected]
stats-master111.info/ur.php - Email: [email protected]
agasi-story.info/ur.php - 91.217.162.45 - Email: [email protected]
general-st.info/ur.php - Email: [email protected]
extra-service.info/ur.php - Email: [email protected]
sol-stats.info/ur.php - Email: [email protected]
google-stats49.info/ur.php - Email: [email protected]
google-stats45.info/ur.php - Email: [email protected]
google-stats50.info/ur.php - Email: [email protected]
google-server43.info/ur.php - Email: [email protected]
stats-master88.info/ur.php - Email: [email protected]
eva-marine.info/ur.php - 109.236.81.28 - Email: [email protected]
stats-master99.info/ur.php - Email: [email protected]
tzv-stats.info/ur.php - Email: [email protected]
milapop.com/ur.php - Email: [email protected]

SQL injected URLs:
lizamoon.com/ur.php (67,500 results) - 91.220.35.151 (AS3721); 91.213.29.182 (AS51786); 95.64.9.18 (AS50244) - Email: [email protected]
alexblane.com/ur.php (3,920 results) - Email: [email protected]
alisa-carter.com/ur.php (220,000 results) - Email: [email protected]
alexblane.com/ur.php (3,920 results) - Email: [email protected]
t6ryt56.info/ur.php (18 results) - Email: [email protected]
tadygus.com/ur.php (100 results) - Email: [email protected]
worid-of-books.com/ur.php (334,000 results) - Email: [email protected]

Upon successful redirection, the campaign attempts to load the scareware domains defender-nibea.in/scan1b/237 - 46.252.130.200 - Email: [email protected]

Detection rate:
freesystemscan.exe - Trojan/Win32.FakeAV - Result: 9/ 41 (22.0%)
MD5 : 815d77f8fca509dde1abeafabed30b65
SHA1 : 1b3c35afb76c53cd9507fffee46fb58c29e72bc1
SHA256: cd902b92042435c2d70d4bf59acc2de8229bfc367626961f76c03f75dcd7e95c

Responding to 46.252.130.200 (AS25190; KIS-AS UAB "Kauno Interneto Sistemos") are also:
antivirus-1091.co.cc
antivirus-1574.co.cc
antivirus-2051.co.cc
antivirus-2525.co.cc
antivirus-2932.co.cc
antivirus-3654.co.cc
antivirus-3833.co.cc
antivirus-4063.co.cc
antivirus-418.co.cc
antivirus-4303.co.cc
antivirus-4749.co.cc
antivirus-495.co.cc
antivirus-5216.co.cc
antivirus-5676.co.cc
antivirus-5802.co.cc
antivirus-6437.co.cc
antivirus-6703.co.cc
antivirus-7081.co.cc
antivirus-713.co.cc
antivirus-728.co.cc
antivirus-7357.co.cc
antivirus-8072.co.cc
antivirus-9009.co.cc
antivirus-9638.co.cc
antivirus-9667.co.cc
defender-aabv.in - Email: [email protected]
defender-aqeu.co.cc
defender-asng.co.cc
defender-atio.in - Email: [email protected]
defender-atxo.in - Email: [email protected]
defender-bcvs.in - Email: [email protected]
defender-bwuy.co.cc
defender-cron.in - Email: [email protected]
defender-ddbr.in - Email: [email protected]
defender-dteo.in - Email: [email protected]
defender-eahy.co.cc
defender-eklq.in - Email: [email protected]
defender-endl.in - Email: [email protected]
defender-ewum.co.cc
defender-eyde.co.cc
defender-fmof.in - Email: [email protected]
defender-fola.co.cc
defender-gnva.in - Email: [email protected]
defender-grlt.in - Email: [email protected]
defender-hipw.in - Email: [email protected]
defender-hjlk.in - Email: [email protected]
defender-hmfu.in - Email: [email protected]
defender-hsug.in - Email: [email protected]
defender-htlu.in - Email: [email protected]
defender-iibk.co.cc
defender-iies.co.cc
defender-iksl.in - Email: [email protected]

defender-isde.co.cc
defender-iyrc.co.cc
defender-jgnl.in - Email: [email protected]
defender-jihv.co.cc
defender-keod.in - Email: [email protected]
defender-kuts.in - Email: [email protected]
defender-kwwh.in - Email: [email protected]
defender-kzwu.co.cc
defender-labm.in - Email: [email protected]
defender-lcoh.in - Email: [email protected]
defender-nhei.co.cc
defender-nrpr.in - Email: [email protected]
defender-ojbr.in - Email: [email protected]
defender-osbi.in - Email: [email protected]
defender-pakc.in - Email: [email protected]
defender-ppdw.in - Email: [email protected]
defender-qfdx.in - Email: [email protected]
defender-qotg.in - Email: [email protected]
defender-qpwo.in - Email: [email protected]
defender-qsko.co.cc
defender-qumf.in - Email: [email protected]
defender-rlag.in - Email: [email protected]
defender-rrin.in - Email: [email protected]
defender-thga.in - Email: [email protected]
defender-ueuv.co.cc
defender-uqko.in - Email: [email protected]
defender-vflq.in - Email: [email protected]
defender-vlmj.in - Email: [email protected]
defender-vqqn.in - Email: [email protected]
defender-vxgh.in - Email: [email protected]
defender-wkiw.in - Email: [email protected]
defender-wqga.in - Email: [email protected]
defender-wrhw.in - Email: [email protected]
defender-wtln.co.cc
defender-xcre.in - Email: [email protected]
defender-xnnx.in - Email: [email protected]
defender-ykym.co.cc
movie-iirg.in - Email: [email protected]
movie-pblv.in - Email: [email protected]
movies-live-tube-jeyq.co.cc
movie-tkhk.in - Email: [email protected]
movie-tube-beym.co.cc
movie-tube-juie.co.cc
movie-ueep.in - Email: [email protected]
movieway2011.com - Email: [email protected]
movie-xbtb.in - Email: [email protected]
movie-xxnl.in - Email: [email protected]
softway2011.com - Email: [email protected]
system-scanner-boep.co.cc
system-scanner-eill.co.cc
system-scanner-eopa.co.cc
system-scanner-ewqq.co.cc
system-scanner-iaap.co.cc
system-scanner-ieyx.co.cc
system-scanner-lcyo.co.cc
system-scanner-ouny.co.cc
system-scanner-oypx.co.cc
system-scanner-qeap.co.cc
system-scanner-racv.co.cc
system-scanner-ryes.co.cc
system-scanner-tzii.co.cc
system-scanner-uemo.co.cc
system-scanner-uotu.co.cc
system-scanner-uyxt.co.cc
system-scanner-vpoo.co.cc
system-scanner-xtoi.co.cc
system-scanner-yoyx.co.cc
system-scanner-ytut.co.cc

Rotated scareware domains involved in the campaign, responding to 84.123.115.228 (AS6739; ONO-AS Cableuropa - ONO):
defender-thga.in - Email: [email protected]
defender-wqga.in - Email: [email protected]
defender-gnva.in - Email: [email protected]
defender-rlob.in - Email: [email protected]
defender-abcc.in - Email: [email protected]
defender-pakc.in - Email: [email protected]
defender-keod.in - Email: [email protected]
defender-xcre.in - Email: [email protected]
defender-qumf.in - Email: [email protected]
defender-fmof.in - Email: [email protected]
defender-uvag.in - Email: [email protected]
defender-hsug.in - Email: [email protected]
defender-vxgh.in - Email: [email protected]
defender-lcoh.in - Email: [email protected]
defender-kwwh.in - Email: [email protected]
defender-osbi.in - Email: [email protected]
defender-wbui.in - Email: [email protected]
defender-vlmj.in - Email: [email protected]
defender-hjlk.in - Email: [email protected]
defender-endl.in - Email: [email protected]
defender-jgnl.in - Email: [email protected]
defender-iksl.in - Email: [email protected]
defender-labm.in - Email: [email protected]
defender-rrin.in - Email: [email protected]
defender-sxin.in - Email: [email protected]
defender-cron.in - Email: [email protected]
defender-vqqn.in - Email: [email protected]
defender-dteo.in - Email: [email protected]
defender-uqko.in - Email: [email protected]
defender-qpwo.in - Email: [email protected]
defender-atxo.in - Email: [email protected]
defender-rlfp.in - Email: [email protected]
defender-vflq.in - Email: [email protected]
defender-eklq.in - Email: [email protected]
defender-ddbr.in - Email: [email protected]
defender-ojbr.in - Email: [email protected]
defender-drnr.in - Email: [email protected]
defender-nrpr.in - Email: [email protected]
defender-kuts.in - Email: [email protected]
defender-bcvs.in - Email: [email protected]
defender-grlt.in - Email: [email protected]
defender-hmfu.in - Email: [email protected]
defender-htlu.in - Email: [email protected]
defender-aabv.in - Email: [email protected]
defender-ppdw.in - Email: [email protected]
defender-wrhw.in - Email: [email protected]
defender-wkiw.in - Email: [email protected]
defender-hipw.in - Email: [email protected]
defender-qfdx.in - Email: [email protected]
defender-xnnx.in - Email: [email protected]
defender-xkox.in - Email: [email protected]

The scareware domains have been registered using automatically registered email accounts at Gmail, as a precaution in an attempt to make it harder to expose the campaign by using a single email only.

Monitoring of the campaign is ongoing.

Related posts:

This post has been reproduced from Dancho Danchev's blog.

Dancho Danchev

Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at [email protected]