Home > Security News > Researchers uncover tool used to infect websites, spread malware
Security News:
EMAIL THIS LICENSING & REPRINTS

Researchers uncover tool used to infect websites, spread malware

By Dennis Fisher, Executive Editor
16 Apr 2008 | SearchSecurity.com

Security Wire Daily News
Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google

Researchers have identified the malicious executable that attackers have been using to compromise thousands of websites for the last few months and serve up malicious code.

The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks.
Bojan Zdrnja,
ISC handler, SANS Institute Internet Storm Center

The executable turned out to be a utility designed to perform automated SQL injection attacks against websites found to be vulnerable through specific Web searches, according to an analysis done by the SANS Institute's Internet Storm Center. The utility seems to be written in Chinese and gives users the ability to decide which HTML tag he wants to insert into the vulnerable Web page.

Security researchers believe that attackers have been using this utility and others like it to compromise legitimate sites. The malicious code is then used to serve malware silently to users visiting those sites.

The technique of using otherwise legitimate sites to host and deliver malware is an increasingly popular one and has continued to be effective for a number of reasons. Most importantly, users do not expect to find malware on e-commerce, news and entertainment sites that they trust and have been visiting for years. But there's also the problem of finding and removing the malicious pages. It's much easier to isolate and blackhole an entirely malicious site than it is to find and take down one infected page among thousands on a legitimate site.

In his analysis of the malware utility , ISC handler Bojan Zdrnja wrote that after infecting a new site, the program then checks with a remote server in China, possibly to confirm the new infection as part of a pay-per-infection scheme. After that operation, the tool will then connect to Google and use a specific search string to find vulnerable sites. The search string is user-configurable.

"The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks. The tool has more functionality that we still have to analyze but this is the main purpose," Zdrnja wrote in his analysis.

Researchers began noticing the mass compromises of websites in January, but were unsure about the specific attack vector until now.



Sound Off! -   Post your comments |  See others' comments (1)


Tags: Viruses, Worms and Other MalwareEmerging Information Security ThreatsVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us    Add to Google


TechTarget Security Media
Information Security View this month\\'s issue and subscribe today.
Information Security Decisions Apply online for free conference admission.
SearchSecurity.com
HomeNewsMagazineWebcastsWhite PapersLearningAdviceTopicsEventsAbout Us
SEARCH :     Advanced Search | Site Index Powered by: Search Powered by Google

About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts