Looks like some pages on the Wal-Mart web site were compromised in the latest round of SQL injection attacks. So if you had a late night hankering for a relatively inexpensive print of Van Gogh's Starry Night or maybe a Matisse lithograph, you might have also encountered a malicious .swf file exploiting the latest released Flash vulnerabilities. (If you haven't already updated to the April 9.0.124.0 version, you should do so now).

Besides Wal-Mart succumbing to the attacks, the really interesting aspect of this particular wave is the sheer number of malware domains involved. In previous attacks, the malicious src reference pointed to an exploit page on a malware domain which in turn foisted password stealing malware from that same domain. In this round of attacks, the malicious src reference points to a malware domain that in turn points to a different malware domain. STAT has identified twenty of these cross-referenced malware domains this morning; it's likely more will soon follow.

The majority of these domains were registered on the 28th and 29th of May, all via PublicDomainRegistry.com (which appears to be suspending the offending domains pretty rapidly). The hosting is a bit odd - the malware domains have multiple A names, indicating either a possible Fast Flux botnet or a very nimble attacker that's constantly redirecting them.

Two of the domains don't match up: adw95.com and banner82.com. Both were active domains in May and banner82.com was suspended on May 26th, so it was a bit odd to see a reference to them in this latest wave.

The injection method is also quite different. Instead of just referencing a single malware host, these attacks may embed references to multiple different malware domains. Seems a bit kludgy and out of character with the previous SQL injection attacks we've observed.

Looks like either the attacker has changed tactics, or we've got a copycat on our hands.

The list of malware domains in this latest wave include:

cat92.net
client46.com
en-us18.com
guid86.com
libid53.com
locale48.com
logid83.com
redir94.com
refer68.com
rexec39.com
rundll41.com
rundll92.com
script46.com
sysid72.com
tag95.com
tagid42.com
trace88.com
user93.com
xml48.com