Mass SQL Injection Leads to FakeAV (April 1, 2011)
SonicWALL UTM Research team received reports of a mass SQL injection infecting millions of websites. It is likely that the back-end databases of these websites were compromised leading to this SQL injection.
Malicious script codes were inserted and being served in webpages which when triggered redirects to malicious link that serves FakeAV malware.
Following are some of the reported Malicious URL inserted on compromised webpages:
- alexblane(dot)com/ur.php
- alisa-carter(dot)com/ur.php
- books-loader(dot)info/ur.php
- lizamoon(dot)com/ur.php
- milapop(dot)com/ur.php
- t6ryt56(dot)info/ur.php
- tadygus(dot)com/ur.php
- Worid-of-books(dot)com/ur.php
All of these URLs resolve to single ip:
- 91.213.29.182
Malicious codes were inserted as shown in the image below:
Google result shows some of the websites that were compromised:
When a user clicks on these links, they will be redirected to a malicious website that serves FakeAV.
Eventually, it will serve the malicious file for download as freesystemscan.exe as shown in this instance. The filename however can change over time.
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
- GAV: ScrInject.UR (Trojan)
- GAV: Suspicious#asprotect (Trojan)
