On GameSpot: Next-gen DS, Xbox tech contracts set?
BNET Business Network:
BNET
TechRepublic
ZDNet

December 17th, 2008

Thousands of legitimate sites SQL injected to serve IE exploit

Posted by Dancho Danchev @ 1:19 pm

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Exploit code, Governments, Hackers, Malware, Microsoft, Passwords, Patch Watch, Pen testing, People's Republic of China, Privacy, Spyware and Adware, Windows Vista

Tags: Security, SQL Injection, Passwords, Internet Explorer, XML, Windows XP, Windows Vista, Dancho Danchev

Symantec Internet Explorer Zero Day ChinaOnce again confirming the trend of having more legitimate sites serving exploits and malware than purely malicious ones, Chinese hackers have been keeping themselves busy during the last couple of days, launching massive SQL injection attacks affecting over 100,000 web sites.

The SQL injection attacks serving the just patched Internet Explorer XML parsing exploit, are launched by several different Chinese hacking groups, and with several exceptions, are primarily targeting Asian countries which is a pretty logical move given the fact that it’s a password stealing malware for online games that is served at the bottom line.

Which is the most targeted country?

According to some stats from Symantec, China ironically remains the most actively targeted country by the IE exploit, ironically in the sense that it was Chinese researchers that leaked the exploit at the first place. Moreover, the 100,000 web sites cited as being infected by Symantec, should be taken as a very conservative metric, since more domains are being injected and as previous campaigns, the number of affected sites could change pretty fast.

SQL Injection Internet Explorer Zero DayConsider for a while the big picture. With or without a patch for the IE exploit, committing cybercrime through the exploitation of already patched client-side vulnerabilities would continue growing - it has been throughout the entire 2008. Despite being old-fashioned compared to Russian cybercriminals that would have included the exploit within their web malware exploitation kits and started serving banker malware instead of password stealing malware, the Chinese attackers appear to be well aware of this trend, and therefore all of the IE exploit serving sites are also serving several other exploits targeting Adobe’s Flash, Acrobat Reader and RealPlayer for starters.

Recent studies continue emphasizing on the fact that millions of users not only continue browsing the web using insecure browsers, but also, are so browser vulnerabilities centered and they ignore the rest of the software running on their PCs as a potential infection vector given they’re running an insecure versions of it - and yes they are. Cybercriminals are aware of this insecure Internet browsing, and are therefore including sets of exploits targeting each and every version known to be vulnerable of a particular software in order to increase the chances for a successful infection. This particular SQL injection attack is the most recent example of this mentality.

In 2008, cybercriminals continue infecting thousands of new hosts on daily basis using 2007’s critical vulnerabilities, because instead of patching vulnerable software, the majority of end users remain comfortable with their false feeling of security.

Dancho DanchevDancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response. He's been an active security blogger since 2007, and maintains a popular security blog. See his full profile and disclosure of his industry affiliations.

Email Dancho Danchev

Subscribe to Zero Day via Email alerts or RSS.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?

  • Talkback
  • Most Recent of 57 Talkback(s)
housands of legitimate sites SQL injected to serve IE exploit
When you folks use the term SQL do you mean database Structured Query Language or Standard Query Language?

Interested Amateur... (Read the rest)
Posted by: interested_amateur@... Posted on: 05/31/09 You are currently: a Guest | | Terms of Use
This is why Firefox + NoScript isn't a magic fix  NonZealot | 12/17/08
Not magic, but more effective than you think  Giorgio Maone | 12/17/08
Excellent info  NonZealot | 12/17/08
How is this different than IE's whitelist for scripts? (nt)  ye | 12/17/08
Er, you are still vulnerable in IE7  nilotpal_c | 12/18/08
What?  JCitizen | 12/19/08
You cannot disable iframes  nilotpal_c | 12/20/08
No Script Still no magic bullet  dunn@... | 12/19/08
You're Making Wrong Assumptions happy  Giorgio Maone | 12/19/08
My experience with it..  JCitizen | 12/19/08
You are Right. However...  rjacksix | 12/22/08
If you wanted to  AzuMao | 12/30/08
To the point  gourddancer1@... | 12/23/08
Does Bill Gates know you use Firefox? [nt]  olePigeon | 12/18/08
NoScript in FF == security level:high in IE?  Earthling2 | 12/18/08
NoScript is much better  Giorgio Maone | 12/18/08
No addon or security suite is better than  soonerproud | 12/18/08
Limited Accounts (and sandboxes) are Overrated  Giorgio Maone | 12/18/08
Not once has  soonerproud | 12/18/08
Giorgio is right...  JCitizen | 12/19/08
NoScript works for me  howdougd@... | 12/19/08
Don't forget to patch Firefox  Earthling2 | 12/18/08
I answered to this one yesterday happy  Giorgio Maone | 12/18/08
EXCEPT...  rjacksix | 12/22/08
I purchased Zone Alarm Forcefield, but...  I am Gorby | 12/18/08
ZDNet disappoints again  ejhonda | 12/18/08
LOL Are You Kidding?!?!?  itanalyst2@... | 12/18/08
So...  ejhonda | 12/18/08
I Visit  itanalyst2@... | 12/18/08
You forgot ZDnet in your list. (NT)  kozmcrae | 12/21/08
7  harrisharris | 12/22/08
Zdnet's the ilove Apple and what did MS blowup today  Boot_Agnostic | 12/18/08
I guess you haven't read...  kozmcrae | 12/21/08
this is the evidence that NoScript is useless  qmlscycrajg | 12/18/08
The real answer  soonerproud | 12/18/08
somebody hasn't been reading  rileinc | 12/18/08
No It Hasn't...  dunn@... | 12/19/08
You Apparently Did Not Read the Original Report Either...  Giorgio Maone | 12/19/08
Sorry, but...  rjacksix | 12/22/08
Surely the real story is the SQL vulnerability  BagEmk | 12/18/08
You're 100% correct.....  dunn@... | 12/19/08
Secunia PSI is your friend!...=)  JCitizen | 12/19/08
May Not Be a SQL Server Issue  HENpp | 12/19/08
In the case of iFrames...  JCitizen | 12/19/08
Re: SQL Vulnerability  harrisharris | 12/22/08
Ironic?  Fred Fredrickson | 12/18/08
RE: Thousands of legitimate sites SQL injected to serve IE exploit  Old Timer 8080 | 12/19/08
Re: Unplug  harrisharris | 12/22/08
RE: Thousands of legitimate sites SQL injected to serve IE exploit  gennx30 | 12/22/08
Serves them right !  Gradius2 | 12/25/08
And what about us private individuals?  lashru | 12/29/08
servage.net sucks!  Anonymous Benefactor | 01/14/09
Uh I hate to break it to you  AzuMao | 01/15/09
RE: Thousands of legitimate sites SQL injected to serve IE exploit  Anonymous Benefactor | 01/14/09
And ISPs can't block this domain from their DNS?  DocNasty | 01/16/09
Re: "just block them lololol!"  AzuMao | 01/17/09
housands of legitimate sites SQL injected to serve IE exploit  interested_amateur@... | 05/31/09

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

advertisement

Recent Entries

advertisement

Archives

Favorite Links

ZDNet Blogs

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here