Adobe's Serious Magic site SQL Injected by Asprox botnet

According to SophosLabs Adobe's owned seriousmagic.com has been automatically SQL injected by the Asprox botnet, becoming the very latest high profile legitimate web sites injected with links to exploits and malware serving sites :"The infection, which resides at hxxp://www.

Adobe asprox malware
According to SophosLabs Adobe's owned seriousmagic.com has been automatically SQL injected by the Asprox botnet, becoming the very latest high profile legitimate web sites injected with links to exploits and malware serving sites :

"The infection, which resides at hxxp://www.seriousmagic.com/help/tuts/tutorials.cfm?p=1, instructs users browsers to silently install a malicious file from a series of domains known to host attack sites. Adobe announced its acquisition of Serious Magic two years ago and whois records indicate the company is the owner of the seriousmagic.com domain.

According to this post from anti-virus provider Sophos, Adobe was notified of the infected page on Friday. The Register visited the link (using a virtual machine, of course) on Thursday and found it was still trying to redirect users to a series of nefarious sites including hxxp://abc.verynx.cn/ w.js and hxxp://1.verynx.cn/w.js. While those links no longer appeared to be active, two other sites used in the attack, hxxp://jjmaobuduo.3322.org/csrss/ w.js and hxxp://www2.s800qn.cn/csrss/ new.htm, were still active at time of writing."

With the asprox botnet making an appearance at the sites of Redmond magazine, and Sony Playstation in May and June respectively, seriousmagic.com is once again among the several hundred sites injected with the same malicious domains.  Let's take a peek at this malware campaign, and see where it ends.

Adobe asprox malware
In short, every tutorial entry is SQL injected with a malicious domain, which means that if there are 60 tutorial entries, the malicious javascript loads 60 times ending up in an endless loop of redirections to other malware and advertising revenue earning domains set up in this campaign. More specifically, the malicious w.js attempts to execute a multitude of already patched client-side exploits, using the following structure and ultimately leading to a copy of Worm.Win32.AutoRun.qtg with a high detection rate (29 AV scanners out of 36 detect it - 80.56%) :

www2.s800qn.cn /csrss/ new.htm www2.s800qn.cn /csrss/ flash.htm www2.s800qn.cn /csrss/ i1.htm www2.s800qn.cn /csrss/ f2.htm www2.s800qn.cn /csrss/ i1.html www2.s800qn.cn /csrss/ flash112.htm www2.s800qn.cn /csrss/ ff.htm www2.s800qn.cn /csrss/ xl.htm www2.s800qn.cn /csrss/ mi.htm www2.s800qn.cn /csrss/ real10.htm www2.s800qn.cn /csrss/ real11.htm bbexe.com /csrss/ rondll32.exe

Despite Adobe's delayed response and the fact that the domains are still active, they seem to have solved the issue by redirecting all traffic from the site to the clean adobe.com.