The websites compromised by the SQL injection attacks, infect users with the trojan Trojan.Buzus, which runs silently in the background. The trojan steals passwords, financial data, and other sensitive information, the eSoft Threat Prevention Team said in a blog post.
The same script is injected several times in and around the title and meta tags, and in other locations. The sites compromised by the SQL injection attacks share the common characteristics of “script src=http” and a varying script source, eSoft said.
Injected domains include the following (the number indicates the amount of compromised websites eSoft found using Google search):
| wgwgg.cn | 383 000 |
| a.ll8cc.cn | 7040 |
| asa.ss.la | 14 300 |
| 1.ll8cc.cn | 179 000 |
| 252a.cn | 21 300 |
| Kun0o.cn | 1650 |
| 65gd.cn | 541 000 |
The domains host the same javascript using small or hidden iframes to redirect users to other malicious websites where the final payload is delivered.
According to eSoft, the SQL injection attack uses the same technique described by Scansafe last week in the 318x injection where around 300 000 websites were compromised.
eSoft said it is adding detection for the SQL injection attacks and flagging any compromised websites.