Researchers have identified the malicious executable that attackers have been using to compromise thousands of websites for the last few months and serve up malicious code.
The executable turned out to be a utility designed to perform automated SQL injection attacks against websites found to be vulnerable through specific Web searches, according to an analysis done by the SANS Institute's Internet Storm Center. The utility seems to be written in Chinese and gives users the ability to decide which HTML tag he wants to insert into the vulnerable Web page.
Security researchers believe that attackers have been using this utility and others like it to compromise legitimate sites. The malicious code is then used to serve malware silently to users visiting those sites.
The technique of using otherwise legitimate sites to host and deliver malware is an increasingly popular one and has continued to be effective for a number of reasons. Most importantly, users do not expect to find malware on e-commerce, news and entertainment sites that they trust and have been visiting for years. But there's also the problem of finding and removing the malicious pages. It's much easier to isolate and blackhole an entirely malicious site than it is to find and take down one infected page among thousands on a legitimate site.
In his analysis of the malware utility , ISC handler Bojan Zdrnja wrote that after infecting a new site, the program then checks with a remote server in China, possibly to confirm the new infection as part of a pay-per-infection scheme. After that operation, the tool will then connect to Google and use a specific search string to find vulnerable sites. The search string is user-configurable.
"The nice thing about this is that we finally managed to confirm that it is SQL Injection that was used in those attacks. The tool has more functionality that we still have to analyze but this is the main purpose," Zdrnja wrote in his analysis.
Researchers began noticing the mass compromises of websites in January, but were unsure about the specific attack vector until now.