"This time, the domain name 'winzipices.Cn' is in the spotlight," Steven Adair, one of Shadowserver's global base of security volunteers, wrote in a blog post. "It has managed to find itself in the source of over 4,000 pages, according to Google.”
Although the unknown attackers are using many of the same techniques involved in earlier SQL injection attacks, the malware and malicious file trail they are relying on in this case differ from earlier attacks, Adair said. In each case, however, they rely on iFrames to redirect infected website visitors to other pages.
Previous SQL injection attacks uncovered by Shadowserver installed a piece of malware that can steal passwords from systems running Microsoft's Internet Explorer, Adair said. The malware associated with the new attacks "appears to be part of a kit we have seen in the Chinese malware family for some time now."
Once installed, the new malware downloads a configuration file with several commands that instruct the infected system what to do next. In this case, it downloads yet another file and reports to another URL.
The malware is also capable of address resolution protocol (ARP) spoofing and injecting malicious code into web pages of other users in the infected system's local network, Adair added. ARP snooping can allow an attacker to examine data frames on an Ethernet LAN that can result in a denial of service attack.
"The iFrames [in this attack] are all pointing to 'bulletproof' machines in China," John Bambenek, an incident handler with the SANS Internet Storm Center and a research programmer at the University of Illinois, told SCMagazineUS.com Wednesday. "The iFrames don't seem to be redirecting the user in an overt way, just trying to silently slip malware in using exploits we've known about for months.”
"It looks like [the attackers] are just accumulating machines for a botnet," Bambenek added. "The malware isn't particularly interesting, your run-of-the-mill stuff. One interesting feature is that it will spoof web traffic on the LAN to try to inject malware on neighboring machines.”
Website attacks continue
By Jim Carr on May 9, 2008 9:55AM