Looks like the original SQL injection attacks are making a comeback. This isn't to say they ever really went away, but they did seem to dwindle towards the end of May, particularly after the first week in June. This doesn't mean Web surfers caught a break - the Asprox attacks made sure of that. But while Asprox distributes a backdoor that joins infected users to the Asprox botnet, the original attackers were (and are) all about customizable password stealers.

Beginning in late June, these PWS-foisting SQL injection attacks have once again surged. Some of the more prevalent attack domains include:

foursn.cn
user1.zhong262.cn
cnzuma.cn
qq117cc.cn
urs.axa-axa.cn

The sites are using a combination of RealPlayer and Flash exploits to foist the password stealers. It doesn't currently appear that any of the exploits are zero-days, but they do include exploits patched only recently (in March and April). It would be nice to think that everyone patches their system diligently, but of course we all know better.

One of the less prolific but more interesting malware domains involved in these attacks is 1ive.net. This could trip up the casual observer who confuses the name with live.net, a Microsoft owned website. Conversely, 1ive.net resolves to 125.46.57.157, an IP hosted in China. The site is currently about 4 days old; hopefully its time will be short-lived.