Home > Security News > Researchers uncover tool used to infect websites, spread malware
Security News:
EMAIL THIS

Researchers uncover tool used to infect websites, spread malware

By Dennis Fisher, Executive Editor
16 Apr 2008 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Researchers have identified the malicious executable that attackers have been using to compromise thousands of websites for the last few months and serve up malicious code.

The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks.
Bojan Zdrnja,
ISC handler, SANS Institute Internet Storm Center

The executable turned out to be a utility designed to perform automated SQL injection attacks against websites found to be vulnerable through specific Web searches, according to an analysis done by the SANS Institute's Internet Storm Center. The utility seems to be written in Chinese and gives users the ability to decide which HTML tag he wants to insert into the vulnerable Web page.

Security researchers believe that attackers have been using this utility and others like it to compromise legitimate sites. The malicious code is then used to serve malware silently to users visiting those sites.

The technique of using otherwise legitimate sites to host and deliver malware is an increasingly popular one and has continued to be effective for a number of reasons. Most importantly, users do not expect to find malware on e-commerce, news and entertainment sites that they trust and have been visiting for years. But there's also the problem of finding and removing the malicious pages. It's much easier to isolate and blackhole an entirely malicious site than it is to find and take down one infected page among thousands on a legitimate site.

In his analysis of the malware utility , ISC handler Bojan Zdrnja wrote that after infecting a new site, the program then checks with a remote server in China, possibly to confirm the new infection as part of a pay-per-infection scheme. After that operation, the tool will then connect to Google and use a specific search string to find vulnerable sites. The search string is user-configurable.

"The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks. The tool has more functionality that we still have to analyze but this is the main purpose," Zdrnja wrote in his analysis.

Researchers began noticing the mass compromises of websites in January, but were unsure about the specific attack vector until now.



Tags: Malware, Viruses, Trojans and SpywareEmerging Information Security ThreatsVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google



RELATED CONTENT
Malware, Viruses, Trojans and Spyware
Schneier-Ranum Face-Off: Is antivirus dead?
Modern malware, stealthy botnets, adapt quickly, expert says
Computer worm infections up, scareware antivirus down, Microsoft says
Web-based attacks skyrocket, pirating sites surge, security firms say
Mini guide: How to remove and prevent Trojans, malware and spyware
Kaspersky system analyzes malicious URLs on Twitter for malware
Silon malware intercepts Internet Explorer sessions, steals credentials
Breach forces payroll service provider PayChoice to shut down again
RSA research underscores problem tracking cybercriminals
Conficker analysis finds P2P coding limited, less sophisticated

Emerging Information Security Threats
Modern malware, stealthy botnets, adapt quickly, expert says
New ransomware Trojan pushes victims to buy software
Bruce Schneier on outsourcing, awareness training
US-CERT warns of BlackBerry snooping software
Marcus Ranum on cyberwarfare, infosec careers
Researchers find thousands of flawed embedded devices
Enterprise botnets contain thousands of malware variants
Nuke and pave to eradicate botnets
Rand study urges caution on cyberwarfare attacks
Hathaway joins Harvard to contribute to DOD project

RELATED GLOSSARY TERMS
Terms from Whatis.com − the technology online dictionary
bot worm  (SearchSecurity.com)
directory traversal  (SearchSecurity.com)
government Trojan  (SearchSecurity.com)
Kraken  (SearchSecurity.com)
man in the browser  (SearchSecurity.com)
polymorphic malware  (SearchSecurity.com)
RAT (remote access Trojan)  (SearchSecurity.com)
RavMonE virus  (SearchSecurity.com)
RFID virus  (SearchSecurity.com)
Rock Phish  (SearchSecurity.com)

RELATED RESOURCES
2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems
Search Bitpipe.com for the latest white papers and business webcasts
Whatis.com, the online computer dictionary



More Tips to Secure Your Network
TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineMultimediaWhite PapersLearningAdviceTopicsEventsAbout Us

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides technology professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective purchase decisions and managing their organizations' technology projects - with its network of technology-specific websites, events and online magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Site Map




All Rights Reserved, Copyright 2003 - 2009, TechTarget | Read our Privacy Policy
  TechTarget - The IT Media ROI Experts