Following are seven malware hosts involved in SQL injection attacks since October 2007:

yl18.net (Oct/Nov)
uc8010.com (Dec/Jan)
2117966.net (Mar)
nmidahena.com (Apr)
414151.com (Apr)
aspder.com (Apr)
nihaorr1.com (Apr)

The attacks, targeting improperly code ASP/ASPX running under Microsoft SQL Server, are rendered using hexadecimal queries, as seen in the following abbreviated example:

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x6400650063006C00610072
006500200040006D00200076006100720063006800610072002800380030003000300029003B00730065
007400200040006D003D00270027003B00730065006C00650063007400200040006D003D0040006D002B
0027007500700064006100740065005B0027002B0061002E006E0061006D0065002B0027005D00730065
0074005B0027002B0062002E006E0061006D0065002B0027005D003D0072007400720069006D00280063
006F006E007600650072007400280076006100720063006800610072002C0027002B0062002E006E0061

Briefly, the CAST command seen in the example above converts the hexadecimal into a standard string. The converted result is a SQL query that searches for table objects which contain text strings, looping through those found and appending the malicious iframe to each.

That the method is nearly identical between all the attacks means little -  an automated tool is presumably used in each of the instances, thus one would expect similarly formed attacks. However, the attacks share many other commonalities with one another which point to a possible connection.

 Four of the domains - uc8010.com, nmidahena.com, 414151.com, and nihaorr1.com - have very similar (though obviously bogus) whois info (including the repeated use of the surname "Zhang", the most common surname in China). And each of the four also share the same primary and secondary DNS:

    Primary DNS:  dns.51ym.com  219.153.20.207
  Secondary DNS:  dns1.51ym.com  61.128.198.181

Though the aspder.com whois info varies considerably from the others, the IP address for the domain (60.172.219.4) is also shared by 414151.com - which as mentioned, shares many similarities to uc8010.com, nmidahena.com, and nihaorr1.com.

The two that don't match directly (other than via the method of attack) are yl18.net and 2117966. There is no whois data for yl18.net to which to compare. But there are interesting patterns in some of the whois details that indicate a possibility of a connection between 2117966 and aspder.com (and, as noted, aspder.com appears to have a direct link to 414151.com, which in turn shares many similarities with the rest).

The attacks themselves appear to be progressive in nature. With each successive attempt, the attacker(s) appear to be honing their targeting skills. As an example, the uc8010 attacks in December/January targeted obscure, seldom visited pages (the Ikea website was one of the few exceptions - multiple highly visited pages on that site were impacted). And while the 2117966.net attacks impacted considerable numbers of sites, an equally considerable number of the attacks failed because the output was munged and incapable of running. 

In April, however, both the targeting and the output quality had evolved considerably - most particularly in the nihaorr1.com attacks.

As an example of that targeting, in addition to tens of thousands of sites worldwide, the nmidahena.com attacks compromised hundreds of gov.cn sites, the effects of which can still be seen in this Google search. Coincidentally, the nmidahena.com domain also had one of the shortest lifespans of any of these seemingly related SQL injection attack domains (ScanSafe's TTL estimate is 4 days). When the nihaorr1.com attacks appeared later in April, the attackers appeared to take great care to avoid gov.cn domains. As ssen in this Google search, of those Chinese sites that were impacted, most were primarily those with English language pages. 

In the month of April, approximately 12% of all ScanSafe malware blocks were a result of the nmidahena.com, 414151.com. aspder.com, and nihaorr1.com attacks - and approximately one in five customers attempted to access one of the infectious pages (but they were protected, of course, by ScanSafe).

So, a likely connection between most or all of these seven attacks and an increase in proficiency such that the latest round targeted not only much higher profile pages, but was also honed to avoid certain types of sites. Wonder what's next?