Researchers uncover tool used to infect websites, spread malware |
 |
By Dennis Fisher, Executive Editor
16 Apr 2008 | SearchSecurity.com |
|
|
Researchers have identified the malicious executable that attackers have been using to compromise thousands of websites for the last few months and serve up malicious code.
|
|
|
|
|
The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks.
Bojan Zdrnja,
ISC handler, SANS Institute Internet Storm Center
|
|
|
|
|
|
|
|
|
|
The executable turned out to be a utility designed to perform automated SQL injection attacks against websites found to be vulnerable through specific Web searches, according to an analysis done by the SANS Institute's Internet Storm Center. The utility seems to be written in Chinese and gives users the ability to decide which HTML tag he wants to insert into the vulnerable Web page.
Security researchers believe that attackers have been using this utility and others like it to compromise legitimate sites. The malicious code is then used to serve malware silently to users visiting those sites.
The technique of using otherwise legitimate sites to host and deliver malware is an increasingly popular one and has continued to be effective for a number of reasons. Most importantly, users do not expect to find malware on e-commerce, news and entertainment sites that they trust and have been visiting for years. But there's also the problem of finding and removing the malicious pages. It's much easier to isolate and blackhole an entirely malicious site than it is to find and take down one infected page among thousands on a legitimate site.
In his analysis of the malware utility , ISC handler Bojan Zdrnja wrote that after infecting a new site, the program then checks with a remote server in China, possibly to confirm the new infection as part of a pay-per-infection scheme. After that operation, the tool will then connect to Google and use a specific search string to find vulnerable sites. The search string is user-configurable.
"The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks. The tool has more functionality that we still have to analyze but this is the main purpose," Zdrnja wrote in his analysis.
Researchers began noticing the mass compromises of websites in January, but were unsure about the specific attack vector until now.
 |
 |
| |
RELATED CONTENT
 |
Malware, Viruses, Trojans and Spyware |
|
Schneier-Ranum Face-Off: Is antivirus dead?
|
|
Modern malware, stealthy botnets, adapt quickly, expert says
|
|
Computer worm infections up, scareware antivirus down, Microsoft says
|
|
Web-based attacks skyrocket, pirating sites surge, security firms say
|
|
Mini guide: How to remove and prevent Trojans, malware and spyware
|
|
Kaspersky system analyzes malicious URLs on Twitter for malware
|
|
Silon malware intercepts Internet Explorer sessions, steals credentials
|
|
Breach forces payroll service provider PayChoice to shut down again
|
|
RSA research underscores problem tracking cybercriminals
|
|
Conficker analysis finds P2P coding limited, less sophisticated
|
|
|
|
|
|
