News Stay informed about the latest enterprise technology news and product updates.

New SQL injection worm making the rounds

The trend toward large-scale attacks against Web sites through the use of SQL injection is continuing, as experts at both the SANS Internet Storm Center and Shadowserver Foundation are tracking a newly discovered SQL injection worm that appears to be exploiting a RealPlayer flaw and dropping malware on vulnerable sites. The attacks are focusing on ASP pages and are using the familiar iFrame exploitation method that has been involved in a number of the recent mass SQL injection attacks. After a successful exploitation of a vulnerable PC, the infected Web site installs a binary on the user’s PC. The analysis of the attack done by the folks at Shadowserver shows that the binary is named “test.exe” and is just one link in a long chain of downloaders and malware.

“This binary that is download by this attack appears to be part of a kit we have seen in the Chinese malware family for some time now. The first thing this malware does once installed is download a configuration file. This configuration file has several commands and tells the system what to do next. In our instance it [tells it] to download yet another file and to report in to a URL,” the Shadowserver analysis says.

Fun for the whole family. Shadowserver also has a good list of some of the malicious sites and IP addresses that are serving the malware, for your filtering pleasure.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.