ScanSafe, which first reported the attack yesterday when it was at about 125,000 sites, first noticed the attack on Nov. 21. The attack loads malware from 318x.com, which then installs a rootkit-enabled version of the Buzuz backdoor Trojan -- best known for credit card and other financial data theft.
Mary Landesman, senior security researcher at ScanSafe, blogged that Buzus Trojans are typically controlled via an IRC backdoor channel. "The attack appears to be a work in progress," Landesman says in her post. "As we've been monitoring the malware scripts used in the final stage attacks, some scripts are being changed, some removed, and new ones are being introduced. Many of the files have .jpg extensions, but all are simply .js files."
And unlike many of these types of attacks, it does not use a PDF exploit, but rather a mix of Adobe Flash Player, Microsoft Office Web Components, a Microsoft ActiveX, Microsoft video, and Internet Explorer exploits.
So far the affected Websites in the SQL injection attacks are a mix of sizes and geographic locations, including the City of Iowa and The Yemen Times, which can be found via a Google search of the iFrame.
Landesman describes the attack as first loading the injected iFrame from 318.x.com. "A series of iframes and code redirections (invisible to the user) then ensues, culminating in a rather curious method for managing the final payload (the actual malware delivery)," she blogs. "When users visit a compromised Web page, the injected iframe executes a script that creates a new iframe to 318x.com/a.htm."
About half of antivirus vendors -- 22 of 40 -- can detect this attack so far, according to VirusTotal.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.