Security researchers have detected a new mass injection attack that has compromised over 130,000 websites so far. A rogue IFrame is used to exploit visitors and infect their computers with a banking trojan.
The attack apparently began in late November and has grown at a steady pace since then. A Google search for the malicious frame performed two days ago revealed 125,000 results, while a new search today resulted in 131,000 hits. On the other hand, Yahoo! reports over 300,000 results for the same query.
"The injected iframe loads the first stage of malicious content from 318x[dot]com. A series of iframes and code redirections (invisible to the user) then ensues, culminating in a rather curious method for managing the final payload (the actual malware delivery)," explains Mary Landesman, senior security researcher at Web security company ScanSafe, now part of Cisco.
According to Ms. Landesman, the purpose of the redirects is to determine the visitor's browser type, Flash Player version and other things, so that only the exploits suited to their environment are served. The exploits included in this attack target known vulnerabilities in Adobe Flash Player, Internet Explorer, Microsoft Office Web Components and two ActiveX controls.
If exploitation is successful, a trojan installer is dropped and executed on the vulnerable computer. This malware is known as Backdoor.Win32.Buzus.croo and features a rootkit-component. "The Buzus family of trojans typically are remotely controlled via an IRC backdoor and typically are engaged in credit card and other banking-related theft," notes the security researcher.
Detection rate for this version of the trojan is moderate, with 29 out of 41 antivirus engines on Virus Total being able to spot it. However, one should note that there are some very popular engines that still miss it.
The technique used to compromise these websites, SQL injection, consists of locating vulnerable script parameters that don't properly sanitize user input and exploiting them to execute rogue queries against the underlying database. It is one of the most common types of attack on the Web today; however, there are signs that the attackers in this case are not experienced with mass implementations.