According to the McAfee Avert Labs blog, McAfee discovered the Fribet trojan. The trojan was discovered on Pro-Tibet sites that were possibly hijacked to host Exploit-MS07-004.
A snippet of code was inserted into the sites to direct users' browsers to another site that hosted exploits, Craig Schmugar, threat researcher at McAfee told SCMagazineUS.com on Friday.
“What is different about this malware is that it actually looks for databases that the compromised machine might have access to,” Schmugar said. “If someone with an administrative database that was used to create a website or a host site is infected, there is the potential to infect other sites, as well as compromise any data the user has access to.”
The Avert Labs blog also stated that when visitors of the pro-Tibet websites are infected, the Fribet trojan provides remote control and monitoring functions, such as creating new files or folders, starting or terminating processes, and sending/receiving additional malware.
Schmugar said this is the first malware he's aware of that has this specific SQL code to try and get to the data.
“We normally see more generic means, like back doors, but this is more specifically going after SQL and the information the user has to get to a database,” he said.
Another twist to this trojan is that rather than relying on a vulnerability, it is going directly to the host.
“It's going around the vulnerabilities to perpetuate the threat further,” Schmugar added.