Sponsored by..

Tuesday 3 June 2008

en-us18.com, libid53.com and rundll92.com SQL injection attack

Another bunch of at least three domains (perhaps more) being used in SQL injection attacks are en-us18.com, libid53.com and rundll92.com. In each case the injected script points to b.js, and this then tries to redirect visitors to libid53.com/cgi-bin/index.cgi?ad

It looks like some sort of fast flux network based on a botnet, so it's not actually very reliable and as yet it hasn't delivered a payload in our lab. The ISC indicate that the attack serves up a couple of infected Flash banners, although in this case the redirector seems to be en-us18.com/cgi-bin/index.cgi?ad

At the moment, these merely serves up another redirector to MSN.com, but it would be easy enough for the botnet controllers to change it to a malicious payload.

Some notable infected sites:

  • tcpmag.com (Technology magazine - again!)
  • annefrank.org (Anne Frank Museum)
  • galatta.com (Indian movies)
  • onefootball.dk (Sport)
  • tvoneonline.com (US TV station)
  • belfastcity.gov.uk (UK local government)
  • marketingprinciples.com (Marketing guide)
  • hobsonsbay.vic.gov.au (Australia local government)
This is quite a fresh looking exploit, this is not comprehensive. It is very disappointing to see tcpmap.com listed yet again, and we've seen sister publication redmondmag.com infected before too.

No comments: