SQL Injection strike nails one-hundred thousand plus
by Steve Ragan - Dec 10 2009, 22:28According to ScanSafe, an SQL Injection (SQLi) attack that started in November is growing, and at the same time the process of delivering the actual payload, or the process of infecting the end user with Malware, after all is said and done is rather curious.
The attack started in November, and based on Google searches, has compromised over 130,000 domains. However, basing the infection rate on searches alone can be spotty at best. Sometimes the results will show sites that are clean, and miss the newest crop of infected domains. The common element is that the attacks are all SQLi-based and they start by pointing to 318x.com.
Each of the hijacked domains house an Iframe that points to 318x.com, which in turn loads a secondary Iframe and malicious JavaScript from a third site. The secondary Iframe will call a third Iframe and load another JavaScript, but this is where the normal attack pattern gets odd, ScanSafe says.
The third Iframe loads a file called share.html, which ScanSafe says is acting as a master file to include other components to the overall attack.
“As its name implies, share.html is acting as a master file to include other components of the attack. Over a dozen other script files are called through a convoluted chain of Iframes and src references largely dependent on the browser type, version of Flash, and related criteria,” a ScanSafe advisory says.
“The attack appears to be a work-in-progress; as we've been monitoring the malware scripts used in the final stage attacks, some scripts are being changed, some removed, and new ones are being introduced. Many of the files have .jpg extensions, but all are simply .js files.”
Another interesting observation, ScanSafe noted, is the lack of PDF exploits, which have almost become obligatory in recent months. Instead, they have noticed most of the attacks focus on Flash Player, Active X, and Internet Explorer memory corruption vulnerabilities, each of which are easily fixed by applying the patches available.
If exploited, the system is infected with a variant of the Buzus family of Malware, which allows the computer to be controlled from IRC in most cases. The Trojan is seen in credit card and other banking related crimes.
More details are here.
Comment on this Story