Sponsored by..

Wednesday, 18 June 2008

HTM Hell

One feature of these recent SQL Injection attacks is that the same sites will get repeatedly hit. So an infected site might have any number of malware-laded domains injected into the code. Click the image below to see a snippet from a really badly infected site.

The interesting thing about these attacks is that they are not very reliable. It's perfectly possible to visit an infected site and have the javascript fail to load because that particular node of the fast flux botnet is offline - but where there are several calls to several different domains, then the likelihood of infection is much greater. The upside is that any sharp-eyed user should notice something odd with these badly infected pages.


DB said...

The b.js script has a link to a cgi script. Does anyone have an example of the cgi script? I'd like to know what it does. Thanks.

Tyson said...

Is there a compiled list somewhere of the domains hosting the malicious content?
This would be quite useful for blocking at things like corporate proxies...

DB said...

Just for info, the cgi files i've read up on so far try and run two flash files which exploit Flash player. Anti virus will pick up the files, web security should block them anyway and abode have new version of Flash 9.0.124 with fix.
Some known domains - link taken from post on 20th June. http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514