Saturday, December 12, 2009

eSoft Uncovers 1.5 Million Sites in SQL Injection Attacks

The eSoft Threat Prevention Team has uncovered an additional 1.5 million sites associated with the newest series of SQL injection attacks. Any compromised sites are very dangerous, infecting the user with Trojan.Buzus silently in the background. The Buzus family of trojans can steal passwords, financial data, and other sensitive information.

Note: Any sites listed below are dangerous and should not be followed without proper protection.

The compromised pages are injected with the same script several times in and around the title and meta tags, as well as other locations. Injected sites in this attack share the common characteristic of “script src=http” and a varying script source.







The list below shows the injected domains used in this attack. The number next to each domain is the amount of sites found to be injected with the domain using Google search.

Each domain hosts the same javascript, using small or hidden iframes to redirect users to other malicious sites where the final payload is delivered. These domains use the same technique described by Scansafe last week in the 318x injection. As many as 300,000 sites were reported compromised in that attack. An example is shown below, note each of the sites in the image is also dangerous so do not attempt to view linked sites.

Additionally, the Threat Prevention Team uncovered the related sites below, also using the same type of injection and javascript iframe technique. The javascript shown below is slightly different than the first attack, only using two iframes but infecting users and tracking with the same method.


eSoft is adding detection for these attacks and flagging any victimized sites as compromised. Distribution and redirect sites are marked as malicious, protecting users from downloading the final dangerous payload.

No comments: