Vendor warns of 'Chinese' website attacks

Security vendor ScanSafe has warned of a wave of SQL injection attacks that has affected over 7,000 web pages.

The attackers appear to be avoiding compromising Chinese government websites, while the attack code contains the text string "Silent love China", wrote ScanSafe researcher Mary Landesman in a blog post.

The attack, which began on Saturday, focused on systems running Microsoft SQL Server and ASP, and quickly infected thousands of web pages, according to the researcher. "The Yahoo search engine revealed 7,020 compromised pages over the course of the weekend," said Landesman.

Compromised sites include IPO listings on kgieworld.com, a Hong Kong stock brokerage, worldoil.com, and redmondmag.com, which should not be confused with redmondmagazine.com, a site for Microsoft developers.

Successful exploitation of a victim's computer leads to the installation of a password-stealing Trojan and a rootkit.

When a user visits a compromised page, their browser is redirected via SQL injection to another page, which in turn loads a second iframe. That iframe loads a script that assesses the victim computer for various vulnerabilities, including a memory corruption flaw in RealPlayer, reported in CVE-2008-1309.

Depending on whether the victim's computer is susceptible, it will be redirected to load content from one of several exploit pages. Successful exploitation results in the installation of the password-stealing Trojan. This password-stealer hooks into the Windows shell using the Control_RunDLL function.

IT professionals can use web-scanning and filtering technologies to gauge compromised sites, Landesman recommended.