Malware from mass SQL injections confirmed by security experts
Thursday, June 5, 2008
Nearly 20,000 websites have been attacked by unknown malicious computer users using a technique known as an SQL injection. The attackers have inserted code to install malware onto visitors' computers. The code exploits a newly-discovered weakness in Adobe Flash Player, a very common web-browser plugin. The attacks prompted an investigation by the Taiwanese information security industry into the source of these attacks.
An SQL injection is a common method employed by malicious users to attack and deface websites, arising from website mistakes in checking user input. Attackers take advantage of these weaknesses to inject information of their choosing into the website. For example, in June of 2007, Microsoft UK found its webpage changed to a picture of the Saudi Arabia flag, an attack which was carried out using an SQL injection.
According to SecurityFocus, this most recent series of attacks stems from a vulnerability in versions 184.108.40.206 and 220.127.116.11 of Flash Player. It allows attackers to load any code they wish onto a computer running these versions of Flash.
As the vulnerability in Flash is newly discovered, Adobe has not yet released a newer version which fixes the problem. For the time being, computer security experts recommend that internet users with one of the unprotected versions of Flash disable the plug-in on Mozilla Firefox or Internet Explorer to prevent malicious users from gaining control over their computers.
The most recent version of the Flash Player, version 18.104.22.168, does not appear to be vulnerable to this exploit.
- Jim Clausing. "Followup to Flash/swf stories" — , May 28, 2008
- Brian Krebs. "Exploit In-the-Wild: Patch Your Flash Player Now" — , May 28, 2008
- Ryan Naraine. "Adobe Flash zero-day exploit in the wild" — , May 27, 2008
- Dan Goodin. "Attack code targets new Adobe Flash vuln" — , May 27, 2008
- Gregg Keizer. "Hackers exploiting Flash Player zero-day bug" — , May 27, 2008
- John Leyden. "Mass SQL injection hits English language websites" — , May 21, 2008
- "Chinese websites under mass attack" — , May 20, 2008
- Sumner Lemon. "Mass SQL Injection Attack Targets Chinese Web Sites" — , May 19, 2008
- Tim Conneally. "Ten thousand servers hit in SQL injection hack" — , May 19, 2008
- Andy Greenberg. "Where The Web Is Weak" — , May 14, 2008