New SQL Injection Attacks Exploit Adobe Flash Flaw

May 28, 2008 – 7:52 PM

Mass SQL injection attack, take four: Yet another wave of SQL injection attacks is exploiting an Adobe Flash vulnerability that appears to be coming from the same series of attacks originating from China.

The intent, as in previous attacks, has been to steal online gamers’ password credentials. But given the persistence and scope of the attacks over the past few months, researchers worry that World of Warcraft players and other gaming jocks aren’t the only users at risk in these stubborn Website attacks.

“Even if a user isn’t online-gaming, he or she could become a victim of the attack,” says Ben Greenbaum, senior research manager at Symantec Security Response. “The hostile portion of this content lives on attacker-controlled servers… and they could change their payload at any time,” injecting keyloggers or other more malicious programs to steal personal information, for instance.

Ivan Macalintal, senior research engineer for Trend Micro, agrees. “The payload… could be dynamically changed at any time [by] the remote attacker. If they want to change it to other password stealers, it would be potentially damaging to other users” besides online gamers.

The latest attack works like this: A vulnerable Website is first compromised with a SQL injection attack, and the malicious script that’s injected points a visitor’s browser to a malicious URL that carries ShockWave (SWF) files that exploit the Adobe Flash bug (aka CVE-2007-0071), according to Trend Micro. Then unbeknownst to the user, his or her vulnerable machine downloads the malicious file, which researchers say is either spyware to steal credentials, or some type of Trojan dropper to download other malicious files.

Symantec originally reported that the attack was using a zero-day Adobe Flash exploit, but later found that it was the existing and recently patched buffer-overflow bug in the Flash Player, which hits when Flash Player processes a malicious SWF file. Still, some of the latest versions of the Adobe Flash Player appear to be susceptible to the attack even with the patch, notes Symantec’s Greenbaum, including the newest version of the Linux stand-alone player and the Debugger version of the player.

The attack appears to be using and reusing the same domains as in previous waves of SQL injection attacks. “And the same exploit code in the threat chain,” Trend’s Macalintal says. “They are using the same or similar types of data from a family of online [credential]-stealing Trojans.”

ShadowServer, meanwhile, has posted a list of some of the Websites that are exploiting the Adobe Flash Player flaw.

Researchers don’t have any specific Website counts on the latest SQL injection attack, but Symantec says it estimates that over 21,000 Web pages are infected with the first stage of the attacking JavaScript that has become a hallmark of these SQL injection attacks. Greenbaum says Symantec also has detected about three different types of “hostile” SWF files.

One feature of the attack is that the infected Website appears to check the victim’s browser type as well as his or her Flash Player version in order to drop the appropriate exploit.

What do the nefarious SWF files look like? Panda Labs researchers say that in some cases, they’re in the form of animation a user has to run, or an image on the Web page. “The maliciously-crafted Flash file could come in the form of a novelty animation which users have to run or it could be an image which is loaded directly on opening the Web page. This way, users would not suspect the infection, as the Web page could appear to be completely legitimate,” says Luis Corrons, technical director of PandaLabs in a written assessment of the threat. “The fact that the vulnerability can be exploited regardless of the browser used, allows cyber-crooks to infect a greater number of users.”

And look for more versions of this monster SQL injection attack, which takes advantage of the prolific flaw in many Websites. “They’re not going to stop at stealing passwords and selling them to the cyber underground for gamers,” Trend’s Macalintal says.

Source: Dark Reading

You must be logged in to post a comment.