Simply Security - News, Views, and Opinions from Trend Micro

Posted on March 31st, 2011 in Current News, Cybercrime by TrendLabs | Be the first to comment | Tags: cybercrime, web security

We’re currently monitoring a still-ongoing mass compromise involving a great number of websites. The compromised sites have been injected with a malicious script that triggers redirects to certain URLs that lead to malware such as FAKEAV.

Based on Google searches, there is no common denominator in terms of the industry to which the compromised sites belong. We saw compromised websites related to astronomy, clubs, hospitals, sports, funeral homes, electronics, and others.

More URLs Involved

Investigations revealed that five URLs were used for the attack and were inserted into the compromised sites through SQL injection. The said URLs all resolve to a single IP server—a known malicious IP Trend Micro researchers are monitoring. Thus, the related URLs have been proactively blocked by Trend Micro as early as March 25, 2011:

• {BLOCKED}of-books.com/ur.php
• {BLOCKED}ane.com/ur.php
• {BLOCKED}carter.com/ur.php
• {BLOCKED}on.com/ur.php
• {BLOCKED}6.info/ur.php

New developments are currently being observed. We’re seeing compromised websites that were previously inserted with a script leading to {BLOCKED}on.com/ur.php already modified to connect to {BLOCKED}s.com/ur.php. The said URL also resolves to the same IP server as the four previously mentioned URLs. It is possible that the cybercriminal behind this attack is updating the compromised sites with new URLs to connect to since the previous ones are already being blocked.

Infection Chain Leads to FAKEAV and WORID

So far, the infection chain has been typical. Visiting a compromised website with the malicious script leads to any of the above-mentioned URLs, which then triggers a series of redirections, finally leading to the download of malicious files. The redirections are visible to the user, as the displayed pages show a fake antivirus scan. The scan is, of course, fake, and is the first part of the whole FAKEAV scam, followed by a prompt to download a malicious file disguised as an installer.

Retrieved samples from active instances are now detected as TROJ_FAKEAV.BBK and TROJ_WORID.A.

Web compromises such as this one are not uncommon but do pose a great threat, especially if a particular website with high incoming traffic is among those compromised. Trend Micro, through the Smart Protection Network™ protects users from being affected by this compromise, as the related malicious URLs are already blocked and the malicious files detected.

Website owners who suspect that their websites have been compromised are advised to clean up their sites as soon as possible.

Post from: TrendLabs | Malware Blog – by Trend Micro

LizaMoon, Etc. SQL Injection Attack Still Ongoing