Analysis: Kevin Savage
Following on from our recent blog post on malicious Web injects affecting distribution of a malicious Android application, here is a more traditional type – but on a huge scale. Those of us in the security industry are well aware of a certain email address — jamesnorthone@hotmailbox.com — which registers domains consistently used in mass SQL-injection attacks against vulnerable Web applications. This mass SQL-injection of a malicious iFrame was dubbed Lizamoon (as a result of the domain name used during similar attacks back in 2011).
Although the domains have changed, the technique remains the same: exploit vulnerable sites on a large scale with an SQL-injection attack, which will then direct users to websites containing malicious code. The current wave of injection is considerable, if we base this on the search results Google has indexed:
The IP address 31.210.100.242 has been identified in the attack and has four domains currently associated with it:
If you have visited a site with the injected iFrame, the following events will take place:
Infected site [REDIRECTS] → [hxxp]://njukol.com/r.php [REDIRECTS] → [hxxp]://www3.safe-defensefu.com/?f1hlu4a=[ENCODED DATA] [REDIRECTS] → [hxxp]://www1.powermb-security.it.cx/ntzjc62?vjgtl=[ENCODED DATA] [REDIRECTS] → [hxxp]://www1.powermb-security.it.cx/i.html
The i.html file serves up two exploits:
We are currently analyzing this file and will provide further updates once we’ve completed the analysis.
Protection
Symantec protects you against this attack with the following IPS signatures:
The exploits used in this attack are known vulnerabilities and already patched. Please ensure you apply the latest patches and have your antivirus up to date.