Legitimate websites are being infected by the hundreds of thousands, including government sites in the UK and US. The criminals behind this are shifting their tactics and using a new domain to serve the malicious code. Depending on the search terms, there are 25,000 to 150,000 websites infected.
Several hundred thousand websites attacked in mass SQL Injection attack. (IMG:J.Anderson)
The website of the week to block is nihaorr1-dot-com (219-153-46-28). What started a few weeks ago as a targeted attack on news and travel sites, is now spreading to other websites including the United Nations, and several other government sites.
“They have hit city websites, commercial sites, and even government websites. This type of injection pretty much null and voids the concept of ‘trusted website’ or ‘safe sites’,” SANS ISC wrote yesterday.
“Visitors to [nihaorr1-dot-com] are “treated” to 8 different exploits for many windows based applications including AIM, RealPlayer, and iTunes. DO NOT visit sites that link to this site as you are very likely to get infected. Trendmicro named the Malware toj_agent.KAQ it watches for passwords and passes them back to contoller’s ip,” the ISC diary adds.
The problem the attacks demonstrate is the need for serious code scrubbing. However, some of the sites contain third party software, which was attacked, or hundreds of lines of code. So vendors and developers can share the blame and the combined efforts to check forms and other methods of attack. SQL Injection is not new to Internet Security, but it is still a valid threat, and viable means to deliver malicious payloads.
While running a test of AVG Internet Security 8.0, LinkScanner warned of infected sites, but also correctly identified sites that were attacked but later cleaned up. This means that while the attack caught on and spread like wildfire, systems administrators were catching on and removing the malicious code.
The tool used to launch these attacks was covered previously by ISC.http://isc.sans.org/diary.html?storyid=4139http://isc.sans.org/diary.html?storyid=4294
There are currently no comments for this article. Be the first to comment!
Advertising
There are currently no comments for this article. Be the first to comment!