The Latest in IT Security

Dissecting the Ongoing Mass SQL Injection Attack


The ongoing mass SQL injection attack, has already affected over a million web sites. Cybercriminals performing active search engines reconnaissance have managed to inject a malicious script into ASP ASP.NET websites.

From client-side exploits to bogus Adobe Flash players, the campaign is active and ongoing. In this intelligence brief, we’ll dissect the campaign and establish a direct connection between the campaign and last March’s Lizamoon mass SQL injection attack.

SQL injected domains: – – Email: [email protected] – – Email: [email protected] – – Email: [email protected] – – Email: [email protected]

Responding to is also; and – Email: [email protected]

Detection rate for urchin.js:
urchin.js – Trojan.JS.Redirector – 17/42 (40.5%)
MD5   : 4387f9be5af4087d21c4b44b969a870f
SHA1  : 8a47842ccf6d642043ee8db99d0530336eef6b99
SHA256: 975e62fe1d9415b9fa06e8f826f776ef851bd030c2c897bc3fbee207519f8351

The redirections take place as follows:

  • -> – Email: [email protected] ->
  • -> – Email: [email protected]

[email protected] has also been used to register the following scareware-serving domains:

For the time being, the campaing is redirecting to a fake YouTube page enticing users into downloading a bogus Adobe Flash player in order to view the video.

Detection rate for the bogus Adobe Flash player:
scandisk.exe – Backdoor:Win32/Simda.A – 8/43 (18.6%)
MD5   : fb4c93935346d2d8605598535528506e
SHA1  : 0ff7ccd785c0582e33c22f9b21156929ba7abaeb
SHA256: b204586cbac1606637361dd788b691f342cb1c582d10690209a989b040dab632

Upon execution the sample phones back to:

The Lizamoon mass SQL injection connection

The same email used to register the SQL injected domains [email protected] has been used to register the Lizamoon mass SQL injection attack domains extensively profiled here – “Dissecting the Massive SQL Injection Attack Serving Scareware“.

Related posts:

This post has been reproduced from Dancho Danchev’s blog. Follow him on Twitter.

Leave a reply



Mission-Critical Broadband – Why Governments Should Partner with Commercial Operators:
Many governments embrace mobile network operator (MNO) networks as ...

ARA at Scale: How to Choose a Solution That Grows With Your Needs:
Application release automation (ARA) tools enable best practices in...

The Multi-Model Database:
Part of the “new normal” where data and cloud applications are ...



Latest Comments