Attack in progress detects website errors and injects malicious scripts.
More than 132,000 websites, many of them small and void of any Web administrators, are being plucked off one by one by an automated SQL injection attack that is detecting website errors and then injecting malicious scripts to turn the sites into an attack platform.
The attacks, first detected in November by researchers at Web security vendor ScanSafe, are injecting malicious iFrames that install a backdoor Trojan. The Trojan uses a malicious domain, 318x, to install malware including the Buzuz backdoor Trojan, said Mary Landesman, senior researcher at ScanSafe. The Trojans, typically IRC-based have been used much more in website attacks, security experts say. IRC channels, the traditional method of channeling attacks is shrinking as attackers turn to automated tools that funnel more efficient ways to carry out attacks.
Over a dozen other script files are called through a convoluted chain of iframes and src references largely dependent on the browser type, version of Flash, and related criteria. The attack appears to be a work-in-progress; as we’ve been monitoring the malware scripts used in the final stage attacks, some scripts are being changed, some removed, and new ones are being introduced.
Once the websites are compromised and the drive-by attacks are in place, visitors will typically have their machines scanned for any Web-based software that isn’t fully patched, such as the Adobe Flash Player or Microsoft Internet Explorer browser components, Landesman said. As with many of these attacks, the Landesman said they are used to steal credit card data or lift victim bank login credentials.
A later search found that nearly 300,000 websites may have been hit by the attack. It’s important to note that the attacks target any flawed website. Administrators overseeing larger websites, should pay close attention to anomalies and scan for any errors that may be used for site compromises.