Tuesday, May 08, 2012

Dissecting the Ongoing Client-Side Exploits Serving Lizamoon Mass SQL Injection Attacks

The Lizamoon mass SQL injection attacks gang is continuing to efficiently inject malicious code on hundreds of thousands of legitimate sites, for the purpose of serving fake security software -- also known as scareware -- and client-side exploits.

The latest round of the campaign is serving client-side exploits through multiple redirections taking place once the end user loads the malicious script embedded on legitimate sites. In comparison, in the past the gang used to monetize the hijacked traffic by serving scareware and bogus Adobe Flash Players.

What are some of the currently SQL injected malicious domains? How does the redirection take place? Did they take into consideration basic QA (quality assurance) tactics into place? Let's find out.


Currrently injected malicious domains are parked at 31.210.100.242 (AS42926, RADORE Hosting), with the following domains currently responding to that IP:
skdjui.com/r.php - Email: jamesnorthone@hotmailbox.com
njukol.com/r.php - Email: jamesnorthone@hotmailbox.com
hnjhkm.com/r.php - Email: jamesnorthone@hotmailbox.com
nikjju.com/r.php - Email: jamesnorthone@hotmailbox.com
hgbyju.com/r.php - Email: jamesnorthone@hotmailbox.com
uhjiku.com/r.php - Email: jamesnorthone@hotmailbox.com
uhijku.com/r.php - Email: jamesnorthone@hotmailbox.com
werlontally.net/r.php - Email: jamesnorthone@hotmailbox.com

March's round of malicious domains was hosted at 91.226.78.148 (AS56697, LISIK-AS OOO “Byuro Remontov “FAST”).

The redirection takes us to these two domains: www3.topcumaster.com - 75.102.21.120 (AS23352, SERVERCENTRAL)

Parked at 75.102.21.120 are also the following domains:
www3.personal-scanera.com - Email: benji.rubes@yahoo.com
www3.personalvoguard.com - Email: benji.rubes@yahoo.com
www3.hard-zdsentinel.com - Email: benji.rubes@yahoo.com
www3.bestbxcleaner.com - Email: benji.rubes@yahoo.com
www3.topcumaster.com - Email: benji.rubes@yahoo.com
www3.safe-defensefu.com - Email: benji.rubes@yahoo.com

and www1.safe-wnmaster.it.cx - 217.23.8.123 (AS49981, WorldStream)

Parked on 217.23.8.123 are also the following client-side exploits serving domains part of the Lizamoon mass SQL injection attacks:
www1.thebestscannerdc.it.cx/i.html
www1.safebh-defense.it.cx/i.html
www1.strongdkdefense.it.cx/i.html
www2.best-czsuite.it.cx/i.html
www1.smartmasterf.it.cx/i.html
www1.simplescanerei.it.cx/i.html
www1.bestic-network.it.cx/i.html
www1.topqonetwork.it.cx/i.html
www2.topasnetwork.it.cx/i.html
www1.powerynetwork.it.cx/i.html
www1.simplemasterzk.it.cx/i.html
www1.powerneholder.it.cx/i.html
www1.personalkochecker.it.cx/i.html
www1.smarthdschecker.it.cx/i.html
www1.safebacleaner.it.cx/i.html
www1.strongzkcleaner.it.cx/i.html
www1.topumcleaner.it.cx/i.html
www1.topgdscanner.it.cx/i.html
www1.smartwoscanner.it.cx/i.html
www1.safe-wnmaster.it.cx/i.html
www1.powervmaster.it.cx/i.html
www1.top-armyvs.it.cx/i.html
www2.saveocsoft.it.cx/i.html
www1.top-zjsoft.it.cx/i.html
www1.powerdefensekt.it.cx/i.html
www1.best-scanersw.it.cx/i.html
www1.powermb-security.it.cx/i.html
www1.strongxd-security.it.cx/i.html
www1.strongbtsecurity.it.cx/i.html

Client side exploits, CVE-2010-0188 and CVE-2012-0507 in particular are served through the i.html file located on these hosts. In order for the client-side exploitation process to take place, the redirection chain must be correct, if not the server will return a "404 Error Message" when requesting a specific file part of the campaign. There are no HTTP referrer checks in place, at least for the time being. What's particularly interesting about the current campaign, is that during a period of time, it will on purposely serve a "404 Error Message" no matter what happens.

Updates will be posted, as soon as new developments emerge.

Related posts:
This post has been reproduced from Dancho Danchev's blog. Follow him on Twitter.