Mass ASP.Net SQL Injection Infects Thousands Of Websites
The visitors of six particular languages are highly vulnerable to the attack--English, German, French, Italian, Polish, and Breton, seen from the following deobfuscated script:
This causes the browser to load an iframe with one of two remote sites:
www3.strongdefenseiz.in and www2.safetosecurity.rr.nu. From there, the iframe plants malware on the visitor's PC via a number of browser drive-by exploits.
This exploit will load even if the visitor doesn't open a file or clicks on a link, which makes it perfect as the "affectee" remains unaware of the attack. The attackers are, however, using exploits that have already been discovered with the concerned patches available. Hence, the target can only be achieved if the visitor is using an outdated, unpatched browser without the latest version of Adobe PDF or Adobe Flash or Java.
Currently, only six out of 43 can detect this malware. These are AntiVir, ByteHero, Fortinet, Jiangmin, McAfee and McAfee-GW-Edition.
What is interesting is that the registration information for this domain is the same as the one used on the earlier Lizamoon domains:
James Northone firstname.lastname@example.org
+1.5168222749 fax: +1.5168222749
128 Lynn Court
Plainview NY 11803
jjghui.com resolves to IP 188.8.131.52 (AS3999), which is in Russia. www3.strongdefenseiz.in resolves to 184.108.40.206 (AS36352), which is in the US and hosted by HostForWeb.com. www2.safetosecurity.rr.nu resolves to IP 220.127.116.11 (AS33597), which is in the US and hosted by InfoRelayOnlineSystems.
Which leads us to think that this may be the work of the infamous "Lizamoon mass infection" attackers.
1. ASP and ASP.NET websites are injected with the following script (text is here):
2. Contents of urchin.js is as seen below
3. The above script decodes to the following:
Discovered By: http://blog.armorize.com/2011/10/httpjjghuicomurchinjs-mass-infection.html