Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 7th, 2008

Another SQL Injection Worm Making Rounds With 4000 Websites Infected

Another SQL Injection worm is on the loose with about 4,000 websites infected since mid-April or a bit earlier. Right now it is unclear how do attackers access the databases, but what they are doing is putting in some scripts and IFRAMEs to take over and redirect visitors to PC infecting websites. The infection of user machines is by Real Player vulnerabilities. Those vulnerabilities are patched and detected by anti-viruses.

The script source that is injected into webpages is (or 2.js, 3.js, 4.js, 5.js). This, in turn, points to a corresponding .asp page on the same address. This in turn points back to the exploits from or the The ( domain looks like it could be set up for single flux, but it’s the same pool of IP address all the time right now. The just points to which has a short TTL, but only one IP is serving it.

According to researchers from ShadowServer, visiting a website injected with 1.js, 2.js, 3.js, 4.js, or 5.js results in the following set of requests:

a direct link to the malicious binary at hxxp://, older RealPlayer Exploit in ierpplug.dll, recent RealPlayer exploit against CLSID 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93, recent RealPlayer exploit against CLSID 2F542A2E-EDC9-4BF7-8CB1-87C9919F7F93 (only for IE7 users).

It would appear that successful exploit attempts would result in a file called “test.exe” being download from This just so happens to be the name of the file that was used in the recent attacks involving “”. However, these are very different binaries.

The malware installed is password stealer that would grab credentials from systems running Internet Explorer. The binary that is download by this attack appears to be part of a kit from Chinese malware family. The first thing this malware does once installed is download a configuration file. This configuration file has several commands and tells the system what to do next.

The malware is downloaded from and then once installed makes the following requests back to

hxxp:// – GET request for the configuration file
hxxp:// – GET requests for a binary to download and execute
hxxp:// – GET request to report in the system name

The file 1.exe that is then installed from this trojan makes continuous outbound requests to on port 1800.

Malware Binaries:

File MD5: 8ca53bf2b7d8107d106da2da0f8ca700 (test.exe) File Size: 28301 bytes

File MD5: 5c9322a95aaafbfabfaf225277867f5b (1.exe) File Size: 38400 bytes

Blocking access to the malicious domains and sites is recommended. Using a content filter, changing DNS entries, and blocking IP addresses are all valid methods. The malicious sites/IP addresses involved in this attack: []

Note that blocking by IP address could potentially block other legitimate pages on the host (not likely in this case). It’s also generally only valid or helpful for a short period of time as attackers frequently change both IP addresses and domain names.

Some attacks are also connected to SQL Worm from

Users are advised not to visit the links and URLs mentioned above to avoid possible infection.

Email, Bookmark or Share:
  • E-mail this story to a friend!
  • Digg
  • StumbleUpon
  • Reddit
  • Technorati
  • Slashdot
  • Propeller
  • Google
  • Live
  • YahooMyWeb
  • TwitThis
  • Facebook
  • LinkedIn

More on CyberInsecure:
  • Phishing Botnet Expands By SQL Injecting Websites Found In Google
  • More Websites Are Compromised, This Time Avoiding Chinese Websites And Users
  • New Lateral SQL Injection Method To Hack Oracle Database
  • SQL Attacks Still Inject Websites Including Government Sites In US, UK
  • Intel Website Hacked, Personal Data Exposed Through SQL Injection

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Another SQL Injection Worm Making Rounds With 4000 Websites Infected

    One Response to “Another SQL Injection Worm Making Rounds With 4000 Websites Infected”

    1. The method of attack is a POST to an SQL database. There are few if any scanners that detect the POST vulnerability if the code is GET protected. A manual review of any code having access to a database would be in order. Search all files for the following string “request.querystring”. This string limits the SQL injection filtering to GETS and does not filter POSTS. To fix the problem, remove “.querystring”. There may be other attack vectors but I have seen this one successful on sites scanned and found to be safe by several security scanners.

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.