en-us18.com, libid53.com and rundll92.com SQL injection attack

Another bunch of at least three domains (perhaps more) being used in SQL injection attacks are en-us18.com, libid53.com and rundll92.com. In each case the injected script points to b.js, and this then tries to redirect visitors to libid53.com/cgi-bin/index.cgi?ad

It looks like some sort of fast flux network based on a botnet, so it's not actually very reliable and as yet it hasn't delivered a payload in our lab. The ISC indicate that the attack serves up a couple of infected Flash banners, although in this case the redirector seems to be en-us18.com/cgi-bin/index.cgi?ad

At the moment, these merely serves up another redirector to MSN.com, but it would be easy enough for the botnet controllers to change it to a malicious payload.

Some notable infected sites:

• tcpmag.com (Technology magazine - again!)
• annefrank.org (Anne Frank Museum)
  
• galatta.com (Indian movies)
• onefootball.dk (Sport)
• tvoneonline.com (US TV station)
• belfastcity.gov.uk (UK local government)
• marketingprinciples.com (Marketing guide)
• hobsonsbay.vic.gov.au (Australia local government)

This is quite a fresh looking exploit, this is not comprehensive. It is very disappointing to see tcpmap.com listed yet again, and we've seen sister publication redmondmag.com infected before too.