New SQL injection making the rounds?

SophosLabs has been tracking the results of what looks like a new SQL injection over the last week and updating detections to Mal/Badsrc-C to deal with it.

The script tag injected is now using port 8080 like similar campaigns recently.

<script type=”text/javascript” src=”http:\/\/[a-z]{1,10}\.[a-z0-9-_]{1,30}\.[a-z]{2,4}:8080\/[A-Z][A-Za-z0-9-_]{1,20}\.js”></script>

Here the src attribute here has been replaced by a regex and the HTML comment has also been replaced.

This type of construction is used legitimately as well as maliciously which makes the detection difficult!

We were alerted to this attack over the last week by seeing feedback from the Sophos Web Appliance (SWA) of Troj/ExpJS-W, Troj/PDFJs-JS, and Troj/JSRedir-AR. So on Wednesday, SophosLabs released a Suspicious detection (Sus/Badsrc-F) to the SWA to gather data on this injection.

Several high profile sites are currently compromised with this injection:

  • A publicly-owned business development company in Southern US.
  • An Islamic Cultural Centre in London, UK.
  • A hunting site in New England, US.
  • A fan site for LOTR movies.
  • A cooking shop in North Rhine-Westphalia, Germany.
  • A French Jewelery site
  • and a Sex blog!

Most of these sites are blocked by Google Safe Browsing (see StopBadware). I have contacted a number of the sites with no success and to find out, in the first case, that the admins are taking a long weekend to coincide with the July 4th holidays, Happy Holiday!