132,000+ Under SQL Injection Attack

A large scale SQL injection attack has injected a malicious iframe on tens of thousands of susceptible websites. ScanSafe reports that the injected iframe loads malicious content from, which eventually leads to the installation of a rootkit-enabled variant of the Buzus backdoor trojan. A Google search on the iframe resulted in over 132,000 hits as of December 10, 2009.

Infection sequence:
Injected iframe – <script src=hxxp://>
Executes a script that creates a new iframe to That iframe (a.htm) does 2 things:

1. Loads a second iframe from
2. Loads a script: (used for tracking).

The frame:

* Creates a third iframe pointing to
* Loads a script: (similar to above, but different number)
* If <noscript> it has an href tag that points to with an img src of

The share.html detects browser type and writes/loads multiple iframes pointing to obfuscated script files located in the same directory (all are javascript regardless of extension). The combined action results in checks for MDAC, OWC10, and various versions of Adobe Flash. Depending on the results, the malcode then delivers one of several possible exploits.

Observed Exploits Include:
Integer overflow vulnerability in Adobe Flash Player, described in CVE-2007-0071
MDAC ADODB.Connection ActiveX vulnerability described in MS07-009
Microsoft Office Web Components vulnerabilities described in MS09-043
Microsoft video ActiveX vulnerability described in MS09-032
Internet Explorer Uninitialized Memory Corruption Vulnerability – MS09-002.

Malware Description:
Threatname: Backdoor.Win32.Buzus.croo
Aliases: Trojan-PWS.Win32.Lmir (Ikarus, a-squared); TR/Hijacker.Gen (AntiVir); Trojan/Win32.Buzus.gen (Antiy-AVL); W32/Agent.S.gen!Eldorado (F-Prot, Authentium); Win32:Rootkit-gen (Avast); Generic15.CBGO (AVG); Trojan.Generic.2823971 (BitDefender, GData); Trojan.Buzus.croo (Kaspersky, QuickHeal); Trojan.NtRootKit.2909 (DrWeb); Trj/Buzus.AH (Panda).

Source: Net-Security

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.