How Attacks against Pro-Tibet Web Sites Can Springboard Against Your Database

McAfee Avert Labs has been analyzing attacks on Pro-Tibet web sites over the past few weeks, and appears to have gained a better understanding of what's going on.

The sites, which sympathize with Tibet, are attacked by hackers taking advantage of interest in the China-Tibet issue; The "Fribet" trojan is left on the sites that become "possibly hijacked to host Exploit-MS07-004, which appear to be specifically crafted," according to Shinsuke Honjo and Geok Meng Ong of McAfee Avert Labs.

Visitors to the pro-Tibet sites are infected with malware and then the broader risk elevates. The trojan unloads remote control and monitoring functions, including the ability to create new files or folders and take instructions from command and control servers.

Honjo and Ong write:

At the time of our research, the command and control server was not sending us commands. However, our reverse engineering of the malicious code shows it is more than capable of the following:

*Bind and connect to local or remote databases from the victim machine * Query and steal data from local or remote databases * Insert arbitrary data into local or remote databases, including web data such as hosting a web exploit

The attacker still needs to find out the information required to connect the database such as DSN, hostname, database name, User and Password, however, that information can be collected via other monitoring functions of Fribet, and it can also enumerate weak and default values.

Patrick Nolan of the SANS Internet Storm Center sums it up:

All your databases accessed by database support are theirs ( ; ^ (

Honjo and Ong recommend administrators double down on security of database back ends.

With other events this year that will be of major news and interest (the Olympics, the U.S. presidential election), you'll most likely want to keep your radar up to see if these tactics are employed in other scenarios down the road.