Search: Home Bugtraq Vulnerabilities Mailing Lists Jobs Tools Beta Programs
    Digg this story   Add to del.icio.us  
SQL attack continues to infect Web sites
Published: 2008-01-10

A Web attack that compromises vulnerable Web pages and installs a snippet of code to redirect visitors to a malicious site in China continued to spread this week, according to security experts.

The attack, which started at the end of December and was first mentioned on Chinese sites, infects Web sites running Microsoft's Internet Information Server Web software and MS SQL database software, according to the Internet Storm Center, a network-monitoring group run by the SANS Institute. Compromised sites are seeded with iframe code that redirects visitors to two sites in China, uc8010.com and ucmal.com, that attempt to execute a relatively old exploit for RealPlayer via Javascript.

While the attack is "massive and ugly," according to independent security researcher Dancho Danchev, it has also been very successful. The number of Web pages apparently affected by the attack has continued to rise over the past week. A Google search for parts of the iframe code currently returns nearly 100,000 pages for each domain. While Google search results are not an accurate way to measure the spread of malicious software, they can be a good indicator of the trend of an attack.

Given the success in seeding the redirection code on legitimate Web servers, the use of an old RealPlayer exploit in the attack puzzled some security experts.

"It is weird," said Roger Thompson, chief research officer for antivirus maker AVG. "I think the simplest explanation is is that they found a really good server side exploit, but didn't think the rest of the attack through."

The attack appears, in many ways, similar to last year's compromises that, among other victims, hit the Web site of Super Bowl venue Dolphin Stadium, adding an iframe redirect to sites hosting malicious code. This year, security firm Computer Associates was reportedly among the victims.

Both domains used in the attack are only a few weeks old. The uc8010.com domain was registered on December 28, and the ucmal.com domain was registered on Deceember 21, according to the Whois database.

If you have tips or insights on this topic, please contact SecurityFocus.



Posted by: Robert Lemos
    Digg this story   Add to del.icio.us  
 
Comments Mode:







 

Privacy Statement
Copyright 2009, SecurityFocus