Fribet: A RAT that chews holes in SQL servers.

17 April 2008

Since the country of China stepped up its activities in Tibet hundreds of pro-Tibet websites have been springing up all across the Net. Predictably, some subset of those sites are being compromised by pro-Communist China crackers, which is a popular political maneuver (of questionable effectiveness). Not content to merely deface these sites, some of them are being infected with a malware agent called Fribet, which attacks vulnerabilities in the user's web browser to silently install itself. Fribet not only sets up a backdoor into the system that allows it to be remotely controlled but it is capable of attacking other machines on the same network as the infected host - specifically, it makes use of the SQL Native Client ODBC library (which is on most Windows machines by default, so far as I know) which gives it the capability of attacking MS SQL servers on the local network. Now, an infected machine going after other boxes on the network is bad enough, but when you take into account how widely spread IFRAME poisoning attacks are these days, this should give one pause.

Often, IFRAME poisoning attacks are performed by exploiting SQL injection vulnerabilities to alter the content of a website kept in a database, or by inserting references to remotely includable files elsewhere on the Net. In theory, you can put anything into a database, including HTML code that silently appears along with content. This HTML code can be used to attack vulnerabilities in the web browser. However, SQL injection attacks stick out like a sore thumb in a web server's logs; direct connections to a database, on the other hand, are rarely recorded for later analysis. Because this little beastie is capable of making direct connections to other database servers, it is now possible to compromise sites much more rapidly than the "search Google for a particular URL and fire an exploit at each returned result" attempts.