We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV.
Based on Google searches, there is no common denominator in terms of the industry to which the compromised sites belong. We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others.
More URLs Involved
Investigations revealed that five URLs were used for the attack and were inserted into the compromised sites through SQL injection. The said URLs all resolve to a single IP server—a known malicious IP Trend Micro researchers are monitoring. Thus, the related URLs have been proactively blocked by Trend Micro as early as March 25, 2011:
- {BLOCKED}of-books.com/ur.php
- {BLOCKED}ane.com/ur.php
- {BLOCKED}carter.com/ur.php
- {BLOCKED}on.com/ur.php
- {BLOCKED}6.info/ur.php
New developments are currently being observed. We’re seeing compromised websites that were previously inserted with a script leading to {BLOCKED}on.com/ur.php already modified to connect to {BLOCKED}s.com/ur.php. The said URL also resolves to the same IP server as the four previously mentioned URLs. It is possible that the cybercriminal behind this attack is updating the compromised sites with new URLs to connect to since the previous ones are already being blocked.
Infection Chain Leads to FAKEAV and WORID
So far, the infection chain has been typical. Visiting a compromised website with the malicious script leads to any of the above-mentioned URLs, which then triggers a series of redirections, finally leading to the download of malicious files. The redirections are visible to the user, as the displayed pages show a fake antivirus scan. The scan is, of course, fake, and is the first part of the whole FAKEAV scam, followed by a prompt to download a malicious file disguised as an installer.
Retrieved samples from active instances are now detected as TROJ_FAKEAV.BBK and TROJ_WORID.A.
Web compromises such as this one are not uncommon but do pose a great threat, especially if a particular website with high incoming traffic is among those compromised. Trend Micro, through the Smart Protection Network™ protects users from being affected by this compromise, as the related malicious URLs are already blocked and the malicious files detected.
Website owners who suspect that their websites have been compromised are advised to clean up their sites as soon as possible.
Post from: TrendLabs | Malware Blog – by Trend Micro
LizaMoon, Etc. SQL Injection Attack Still Ongoing
Related Posts
- LizaMoon the Latest SQL-Injection Attack
Working in the security industry brings about a myriad of challenges. This is especially true for vendors. We must do our best to educate and inform. At the same time, we want to avoid laying on the F... - More on the “massive” SQL injection attack
Alas, the news was published on April 1st. But it is not a joke.
Curious, I spent a bit of time today researching it (when I really was supposed to be doing other things), and while the “lizamoon” ... - LizaMoon mass injection hits over 28000 URLs including iTunes
Websense Security Labs and the Websense Threatseeker Network have identified a new malicious mass-injection campaign that we call LizaMoon. Websense customers are protected with the Advanced Classific... - Newly detected SQL injection attack snags Apple in wide net
A new series of mass SQL injection attacks has planted links to malware sites and hidden iframes in over a million webpages, including parts of Apple's website. The technique is... - Request contained a malicious JavaScript or SQL injection attack
bad-behavior is now blocking what it says is a SQL injection but all its really looking for is a # in the header. So I end up seeing crap like this.I think this may be a bug in bad behaviorUpdate: I a... - IME Injection Evolution
Recently,we found many malwares using a smarter way to inject the specified dll into system related to IME management. Comparing to the old IME injection tricks, it is much more difficult to be discov... - Mass Injections Leading to g01pack Exploit Kit
Our ThreatSeekerR Network is constantly on the lookout to protect our customers from malicious attacks. Recently it has detected a new injection attack which leads to an obscure Web attack kit.&... - Hundreds of College and Government websites still redirecting to fake stores
In January, I talked about high-profile websites, which had been hacked to redirect users to fake online stores. One unique aspect of the hack was the fact that the attackers had set up additional web... - alisa-carter.com, lizamoon.com and worid-of-books.com
The injection attacks from lizamoon.com and other domains continue.. and they link back to a popular blog post about a very different attack site at worid-of-books.com because at the moment, all these... - Italian model exposed in Facebook clickjacking attack
The mere mention of anything with a sex connotation on Facebook almost always begets some major activity, with people wanting to know more. As a result, whatever the attack vector or channel might be ...
Posted on 01 April 2011. Tags: Attack, Etc., Injection, LizaMoon, Ongoing, still
The above information is reprinted from and copyrighted © by Trend Micro.
