The mass SQL injection attack that has been ongoing for a week or so now is designed mainly to steal credentials for online games and is quite well planned and organized, experts say.
The attack, which has been using two specific domains as part of a widespread SQL injection campaign, is targeting sites running ASP.Net applications and using the SQL injection technique to compromise the applications and plant malicious code on the back end servers, according to an analysis by researchers at Armorize, a Web application security company.
The vulnerability being used in the attack is a flaw in Adobe Flash, which was publicized earlier this month and patched late last week by Adobe. Here’s how the attack works:
1. Attack vectors used in mass SQL injections were
targeted and specific–pre-scanning took place beforehand, vectors
waiting to be used upon availability of 0day.
2. Attacks targeted
ASP.NET Web applications vulnerable to SQL injection and using SQL
server as database. We note most of the fault is attributed to the
vulnerable Web application itself, not IIS or ASP.NET or SQL server.
0day discovered in Asia, by known group, possibly via fuzzing.
0day initially used (and captured) in emails as part of targeted
attacks, often against Asian personnels.
3. 0day leveraged in mass
SQL injection attempts shortly after POC discovered in the wild.
Exploit code involves mechanisms to defeat behavior-based analysis.
Exploit generated by CuteQQ / Anhey.
The attack includes some code specifically designed to evade Web application firewalls, and it is being thrown against sites running several different versions of Microsoft’s IIS Web server software. The Armorize researchers say that the attacks look to be the work of a group using the name “dnf666,” which launched a similar mass SQL injection campaign in March.
“DNF stands for “Dungeon Fighter,” a popular online game in the Chinese
community. It’s offered in Taiwan here
and in China on top of the QQ platform here. dnf666.net was a platform selling
(illegal) plugins to these online games. Adding these together, it’s no
surprise that at the end of this article, our conclusion is the purpose
of both robint.us and 2677.in attacks were aimed at stealing passwords
to online games,” they wrote in their analysis.