Asprox mass SQL injection attacks continue...
FYI..
Governmental, Healthcare, and Top Business Websites have fallen victims to the new round of Asprox mass attack
- http://www.finjan.com/MCRCblog.aspx?EntryId=2002
Jul 16, 2008 - "... The attack toolkits is designed to first search Google for webpages with the file extension [.asp] and then launch SQL injection attacks to append a reference to the malware file using the SCRIPT tag. During the first two weeks of July 2008, Finjan... detected over 1,000 unique Website domains that were compromised by this attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, we believe this is just the tip of the iceberg for the scope and impact of this attack. Among the compromised websites we found were those of respectable organizations, governmental institutes, healthcare organizations as well as high-ranked websites... Each of the 160 different domains hosting [b.js] and [ngg.js] [fgg.js] points to the location of the malicious file which was unique to each and every one of them.
The pointed iframe loads an obfuscated JavaScript code which then downloads and executes the malware on the victim machine automatically. The exploit provided by writers of the new version of NeoSploit toolkit, which uses a refreshing code for the obfuscation (using the location of the page as part of the obfuscation function)... The malicious code of the above script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation:
* MDAC Vulnerability
* QuickTime rtsp Vulnerability
* AOL SuperBuddy ActiveX Control Code Execution Vulnerability
Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine..."
(Screenshots available at the URL above.)
Also see:
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080705
:fear::fear:
FYI..
Governmental, Healthcare, and Top Business Websites have fallen victims to the new round of Asprox mass attack
- http://www.finjan.com/MCRCblog.aspx?EntryId=2002
Jul 16, 2008 - "... The attack toolkits is designed to first search Google for webpages with the file extension [.asp] and then launch SQL injection attacks to append a reference to the malware file using the SCRIPT tag. During the first two weeks of July 2008, Finjan... detected over 1,000 unique Website domains that were compromised by this attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, we believe this is just the tip of the iceberg for the scope and impact of this attack. Among the compromised websites we found were those of respectable organizations, governmental institutes, healthcare organizations as well as high-ranked websites... Each of the 160 different domains hosting [b.js] and [ngg.js] [fgg.js] points to the location of the malicious file which was unique to each and every one of them.
The pointed iframe loads an obfuscated JavaScript code which then downloads and executes the malware on the victim machine automatically. The exploit provided by writers of the new version of NeoSploit toolkit, which uses a refreshing code for the obfuscation (using the location of the page as part of the obfuscation function)... The malicious code of the above script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation:
* MDAC Vulnerability
* QuickTime rtsp Vulnerability
* AOL SuperBuddy ActiveX Control Code Execution Vulnerability
Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine..."
(Screenshots available at the URL above.)
Also see:
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080705
:fear::fear:
