Website attacks continue

Share this article:
Security researchers at the Shadowserver Foundation have discovered another round of SQL injection attacks, this one affecting more than 4,000 web pages that are based on Microsoft's ASP and .NET technologies.

"This time, the domain name 'winzipices.Cn' is in the spotlight," Steven Adair, one of Shadowserver's global base of security volunteers, wrote in a blog post. "It has managed to find itself in the source of over 4,000 pages, according to Google.”

Although the unknown attackers are using many of the same techniques involved in earlier SQL injection attacks, the malware and malicious file trail they are relying on in this case differ from earlier attacks, Adair said. In each case, however, they rely on iFrames to redirect infected website visitors to other pages.

Previous SQL injection attacks uncovered by Shadowserver installed a piece of malware that can steal passwords from systems running Microsoft's Internet Explorer, Adair said. The malware associated with the new attacks "appears to be part of a kit we have seen in the Chinese malware family for some time now."

Once installed, the new malware downloads a configuration file with several commands that instruct the infected system what to do next. In this case, it downloads yet another file and reports to another URL.

The malware is also capable of address resolution protocol (ARP) spoofing and injecting malicious code into web pages of other users in the infected system's local network, Adair added. ARP snooping can allow an attacker to examine data frames on an Ethernet LAN that can result in a denial of service attack.

"The iFrames [in this attack] are all pointing to 'bulletproof' machines in China," John Bambenek, an incident handler with the SANS Internet Storm Center and a research programmer at the University of Illinois, told SCMagazineUS.com Wednesday. "The iFrames don't seem to be redirecting the user in an overt way, just trying to silently slip malware in using exploits we've known about for months.”

"It looks like [the attackers] are just accumulating machines for a botnet," Bambenek added. "The malware isn't particularly interesting, your run-of-the-mill stuff. One interesting feature is that it will spoof web traffic on the LAN to try to inject malware on neighboring machines.”
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.