A new round of SQL injection attacks is underway as of this past weekend. The latest attacks inject an iframe which loads malicious content from qiqigm.com, a domain newly registered on May 16th. Multiple RealPlayer vulnerabilities are exploited in the attack, including the recent RealPlayer memory corruption flaw first reported in March 2008 (CVE-2008-1309). Also included is the very commonly exploited Internet Explorer MDAC Remote Code Execution Vulnerability (MS06-014).

Successful exploit leads to the installation of a password stealing Trojan which also includes rootkit-like functionality.

As of this morning, Yahoo returned 7,020 results for sites/pages compromised by this latest round of SQL injection attacks. Nearly all were for English language pages, predominantly those with a .com suffix.

Compromised sites included IPO listings on kgieworld.com (an English language Hong Kong stock brokerage), rig information pages on worldoil.com, and Kodak camera reviews on digitalcamerareview.com.

Interspersed in the qiqigm.com exploit scripts is a reference to "Silent love China".

This ScanSafe threat report contains further details.