(LiveHacking.Com) - An SQL injection attack that infects web pages and causes drive by downloads of malware is spreading rampantly. Reported last week by Armorize, the SQL injection attack which targets ASP.NET sites, had infected some 180,000 pages. The Register reported on Friday that this number had grown to over 600,000. Now according to Google search the number of infected web pages is over 1,000,000.
Infected sites carry invisible links to sites including jjghui.com and nbnjkl.com. These sites in turn redirect to several other websites, including www3.strongdefenseiz.in and www2.safetosecurity.rr.nu, that include hidden code to exploit known vulnerabilities in Adobe PDF, Adobe Flash or Java. Any PC with un-patched versions of these programs will most likely become infected with malware. Servers used in the attack have IP addresses based in the US and Russia.
This current round of SQL injection attacks seem to be similar to the LizaMoon attacks which appeared in March and April of this year. The Security company Securi has noted that registration information for the domains used in this attack are the same as the one used on the earlier Lizamoon domains:
Technical Contact: James Northone firstname.lastname@example.org +1.5168222749 fax: +1.5168222749 128 Lynn Court Plainview NY 11803 us
One thing worth noting is that at the time of the LizaMoon attacks Google mentioned that:
“Google Search results aren’t always great indicators of how prevalent or widespread an attack is as it counts each unique URL or page, not domain or site, but it does give some indication of the scope of the problem if you look at how the numbers go up or down over time.”
Sites can be scanned to make sure they are clean (or not) at http://sitecheck.sucuri.net