Simply Security - News, Views, and Opinions from Trend Micro

Posted on March 31st, 2011 in Current News, Cybercrime by TrendLabs | Be the first to comment | Tags: cybercrime, threat research

We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs which lead to malware such as FAKEAV.

Based on Google searches, there is no common denominator in terms of the industry to which the compromised sites belong. We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics and others.

More URLs Involved

Investigation revealed that 4 URLs were used for the attack, and were inserted into the compromised sites through SQL injection. The said URLs all resolve to a single IP server – a known malicious IP being monitored by Trend Micro researchers. Thus, related URLs has been proactively blocked by Trend Micro as early as March 25, 2011:

• Worid-of-books(dot)com/ur.php
• alexblane(dot)com/ur.php
• alisa-carter(dot)com/ur.php
• lizamoon(dot)com/ur.php
• t6ryt56(dot)info/ur.php

New developments are currently being observed: we’re seeing compromised websites that were previously inserted with a script leading to lizamoon(dot)com/ur.php already modified to connect to tadygus(dot)com/ur.php. The said URL also resolves to the same IP server as the 4 previously mentioned URLs. It is possible that the cybercriminal behind this attack is updating the compromised sites with new URLs to connect to, since the previous ones are already being blocked.

Infection Chain Leads to FAKEAV and WORID

So far the infection chain has been typical: visiting a compromised website with the malicious script leads to any of the above-mentioned URLs, which then triggers a series of redirections, finally leading to the download of malicious files. The redirections are visible to the user, as the displayed pages show a fake antivirus scan. The scan is of course fake, and is the first part of the whole FAKEAV scam, followed by a prompt to download a malicious file disguised as an installer.

Retrieved samples from active instances are now detected as TROJ_FAKEAV.BBK and TROJ_WORID.A.

Web compromises such as this one are not uncommon, but do pose a great threat especially if a particular website with high incoming traffic is among those compromised. Trend Micro, through the Smart Protection Network protects users from being affected by this compromise, as the related malicious URLs are already blocked and the malicious files detected.

Website owners who suspect that their website has been compromised are advised to clean up their sites as soon as possible.

Post from: TrendLabs | Malware Blog – by Trend Micro

LizaMoon, Etc. SQL Injection Attack Still On-going