SecurityRatty: Obfuscating Fast-fluxed SQL Injected Domains

This is cache of http://feeds.feedburner.com/~r/DanchoDanchevOnSecurityAndNewMedia/~3/338377430/obfuscating-fast-fluxed-sql-injected.html. Cache is the snapshot of article that we took when we index feed.
To see original page click here.
We are not affiliated with the authors of this article and not responsible for its content.

Obfuscating Fast-fluxed SQL Injected Domains

2008-07-17 15:31:06 by Dancho Danchev in Dancho Danchev's Blog - Mind Streams of Information Security Knowledge

It's all a matter of how you put it, and putting it like represents a good example of tactical warfare, namely, combining different tactics for the sake of making it harder to keep track of the impact of a particular SQL injection campaign. Consider the following examples of obfuscated domains, naturally being in a fast-flux in the time of the SQL injection that several Chinese script kiddies were taking advantage of :

%6b%6b%36%2e%75%73 - kk6.us
%73%61%79%38%2E%75%73 - s.see9.us
%66%75%63%6B%75%75%2E%75%73 - fuckuu.us
%61%2E%6B%61%34%37%2E%75%73 - a.ka47.us
%61%31%38%38%2E%77%73 - a188.ws
%33%2E%74%72%6F%6A%61%6E%38%2E%63%6F%6D - 3.trojan8.com
%6D%31%31%2E%33%33%32%32%2E%6F%72%67 - m11.3322.org

As always, these obfuscations are just the tip of the iceberg considering the countless number of other URL obfuscations techniques that spammers and phishers used to take advantage of on a large scale. For the time being, one of the main reasons we're not seeing massive SQL injections using such obfuscations is mostly because the feature hasn't been implemented in popular SQL injectors for copycat script kiddies to take advantage of. However, with the potential for evasion of common detection approaches, it's only a matter of personal will for someone to add this extra layer to ensure the survivability of the campaign.