Mass SQL Injection Leads to FakeAV

April 1, 2011

SonicWALL UTM Research team received reports of a mass SQL injection infecting millions of websites. It is likely that the back-end databases of these websites were compromised leading to this SQL injection.

Malicious script codes were inserted and being served in webpages which when triggered redirects to malicious link that serves FakeAV malware.

Following are some of the reported Malicious URL inserted on compromised webpages:

  • alexblane(dot)com/ur.php
  • alisa-carter(dot)com/ur.php
  • books-loader(dot)info/ur.php
  • lizamoon(dot)com/ur.php
  • milapop(dot)com/ur.php
  • t6ryt56(dot)info/ur.php
  • tadygus(dot)com/ur.php
  • Worid-of-books(dot)com/ur.php

All of these URLs resolve to single ip:

  • 91.213.29.182

Malicious codes were inserted as shown in the image below:

    screenshot

Google result shows some of the websites that were compromised:

    screenshot

    screenshot

When a user clicks on these links, they will be redirected to a malicious website that serves FakeAV.

    screenshot

    screenshot

Eventually, it will serve the malicious file for download as freesystemscan.exe as shown in this instance. The filename however can change over time.

    screenshot

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: ScrInject.UR (Trojan)
  • GAV: Suspicious#asprotect (Trojan)

screenshot

screenshot