SQL meets Fast-Flux

Whilst investigating some of the domains used as the target for the malicious script tag added to web pages in recent SQL injection attacks, one of them stood out as potentially interesting. A DNS lookup for the domain returned 8 IP addresses, distributed across IP space, all most probably compromised home machines.

Thanks to the increased use of fast-flux networks by malware authors and spammers [1], the topic has received some attention of late [2,3]. Typically, attackers use fast-flux networks to evade detection and provide increased resilience against take down efforts. Users are generally oblivious to the use of fast-flux networks (for example, when browsing a web page on a domain, the IP address of the machine from where the content is actually returned, is not obviously ‘visible’).

In the case of the domain under investigation here, I started to monitor the IP addresses returned for that domain. Over a 20 hour period, I saw only 23 different IPs, far less than I was originally expecting. Fast-flux networks commonly use pools of hundreds if not thousands of IP addresses. Perhaps this is a case of slow-flux!

All the addresses are suggestive of compromised home machines, most of them located in the United States.

[Geographic location of compromised IPs]

And what is the purpose of the attack? The malicious script tag added to legitimate web pages via the SQL injection attack, attempts to load a malicious JavaScript from the remote server. This in turn loads additional malicious content the objective of which is to infect victims with a remote access Trojan (proactively detected as Sus/Dropper-A, specifically detected as Troj/Danmec-Y now).

Probing the malicious domain a little more I found a further malicious script at the root of the domain. This attempts to exploit several client side vulnerabilities (including QuickTime RTSP CVE-2007-0015 and MS06-006) to also infect the user with Troj/Danmec-Y. Detection for this malicious script has been added as Mal/ObfJS-AN.

Actually, in between starting and publishing this blog entry, I notice that the payload Trojan installed by the malicious scripts has changed. No longer Danmec, but another remote access Trojan. The two files installed are now pro-actively detected as Mal/Heuri-E and Troj/Bckdr-QNF. Never a dull moment!