The Lizamoon mass SQL injection attacks gang is continuing to efficiently inject malicious code on hundreds of thousands of legitimate sites, for the purpose of serving fake security software -- also known as scareware -- and client-side exploits.
The latest round of the campaign is serving client-side exploits through multiple redirections taking place once the end user loads the malicious script embedded on legitimate sites. In comparison, in the past the gang used to monetize the hijacked traffic by serving scareware and bogus Adobe Flash Players.
What are some of the currently SQL injected malicious domains? How does the redirection take place? Did they take into consideration basic QA (quality assurance) tactics into place? Let's find out.
Currrently injected malicious domains are parked at 18.104.22.168 (AS42926, RADORE Hosting), with the following domains currently responding to that IP:
skdjui.com/r.php - Email: firstname.lastname@example.org
njukol.com/r.php - Email: email@example.com
hnjhkm.com/r.php - Email: firstname.lastname@example.org
nikjju.com/r.php - Email: email@example.com
hgbyju.com/r.php - Email: firstname.lastname@example.org
uhjiku.com/r.php - Email: email@example.com
uhijku.com/r.php - Email: firstname.lastname@example.org
werlontally.net/r.php - Email: email@example.com
March's round of malicious domains was hosted at 22.214.171.124 (AS56697, LISIK-AS OOO “Byuro Remontov “FAST”).
The redirection takes us to these two domains: www3.topcumaster.com - 126.96.36.199 (AS23352, SERVERCENTRAL)
Parked at 188.8.131.52 are also the following domains:
www3.personal-scanera.com - Email: firstname.lastname@example.org
www3.personalvoguard.com - Email: email@example.com
www3.hard-zdsentinel.com - Email: firstname.lastname@example.org
www3.bestbxcleaner.com - Email: email@example.com
www3.topcumaster.com - Email: firstname.lastname@example.org
www3.safe-defensefu.com - Email: email@example.com
and www1.safe-wnmaster.it.cx - 184.108.40.206 (AS49981, WorldStream)
Parked on 220.127.116.11 are also the following client-side exploits serving domains part of the Lizamoon mass SQL injection attacks:
Client side exploits, CVE-2010-0188 and CVE-2012-0507 in particular are served through the i.html file located on these hosts. In order for the client-side exploitation process to take place, the redirection chain must be correct, if not the server will return a "404 Error Message" when requesting a specific file part of the campaign. There are no HTTP referrer checks in place, at least for the time being. What's particularly interesting about the current campaign, is that during a period of time, it will on purposely serve a "404 Error Message" no matter what happens.
Updates will be posted, as soon as new developments emerge.
- SQL Injection Through Search Engines Reconnaissance
- Massive SQL Injections Through Search Engine's Reconnaissance - Part Two
- Massive SQL Injection Attacks - the Chinese Way
- Cybercriminals SQL Inject Cybercrime-friendly Proxies Service
- GoDaddy's Mass WordPress Blogs Compromise Serving Scareware
- Dissecting the WordPress Blogs Compromise at Network Solutions
- Yet Another Massive SQL Injection Spotted in the Wild
- Smells Like a Copycat SQL Injection In the Wild
- Fast-Fluxing SQL Injection Attacks
- Obfuscating Fast-fluxed SQL Injected Domains