Researchers uncover tool used to infect websites, spread malware

By Dennis Fisher, Executive Editor 16 Apr 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Researchers have identified the malicious executable that attackers have been using to compromise thousands of websites for the last few months and serve up malicious code.

The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks. Bojan Zdrnja, ISC handler, SANS Institute Internet Storm Center

The executable turned out to be a utility designed to perform automated SQL injection attacks against websites found to be vulnerable through specific Web searches, according to an analysis done by the SANS Institute's Internet Storm Center. The utility seems to be written in Chinese and gives users the ability to decide which HTML tag he wants to insert into the vulnerable Web page.

Security researchers believe that attackers have been using this utility and others like it to compromise legitimate sites. The malicious code is then used to serve malware silently to users visiting those sites.

The technique of using otherwise legitimate sites to host and deliver malware is an increasingly popular one and has continued to be effective for a number of reasons. Most importantly, users do not expect to find malware on e-commerce, news and entertainment sites that they trust and have been visiting for years. But there's also the problem of finding and removing the malicious pages. It's much easier to isolate and blackhole an entirely malicious site than it is to find and take down one infected page among thousands on a legitimate site.

In his analysis of the malware utility , ISC handler Bojan Zdrnja wrote that after infecting a new site, the program then checks with a remote server in China, possibly to confirm the new infection as part of a pay-per-infection scheme. After that operation, the tool will then connect to Google and use a specific search string to find vulnerable sites. The search string is user-configurable.

"The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks. The tool has more functionality that we still have to analyze but this is the main purpose," Zdrnja wrote in his analysis.

Researchers began noticing the mass compromises of websites in January, but were unsure about the specific attack vector until now.

Tags: Malware, Viruses, Trojans and Spyware,  Emerging Information Security Threats,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Malware, Viruses, Trojans and Spyware Malware in Google attacks uses spaghetti code Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Another PDF attack targets Adobe zero-day vulnerability Security report finds rise in banking Trojans, adware, fewer viruses How to prevent rogue antivirus programs in the enterprise How to stop keylogging malware with more than basic antivirus software, firewalls Conficker-infected machines now number 7 million, Shadowserver finds FBI estimates rogue antivirus losses exceeding $150 million Security researchers continue hunt for Conficker authors Emerging Information Security Threats Leverage Google Attacks to Improve Cybersecurity SCADA system, critical infrastructure security lacking, survey finds Preparing for future security threats, evolving malware Facebook attacks prompt investments in social networking security Information security podcasts: 2009 archive Hathaway calls for international cybercrime task force Active PDF attacks target Reader, Acrobat zero-day vulnerability Sites hit with massive automated SQL injection attack Cybercriminals invest in social networking attacks Best practices for (small) botnets

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary bot worm  (SearchSecurity.com) directory traversal  (SearchSecurity.com) government Trojan  (SearchSecurity.com) Kraken  (SearchSecurity.com) man in the browser  (SearchSecurity.com) polymorphic malware  (SearchSecurity.com) RAT (remote access Trojan)  (SearchSecurity.com) RavMonE virus  (SearchSecurity.com) RFID virus  (SearchSecurity.com) Rock Phish  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary