55 and Counting
In just the first week of July, ScanSafe STAT observed an additional fifty-five active SQL injection domains. Keywords are active and additional; there are dozens more. The 55 reflects just those that garnered the most traffic during this past week. The list also omits active domains already reported in previous blog posts such as those reported here and here.
Starting in late June, some of the domains were registered using the .mobi suffix. One can only guess at the motive behind that move.
Currently there appear to be three primary goals of the ongoing SQL injection attacks:
1. Delivering password stealing trojans. Commonalities behind many of these attacks include references indicating possible origin in China.
2. Delivering backdoors that increase the size and capability of the Asprox botnet. Commonalities behind these attacks point to possible origin in Russia or the Ukraine.
3. Delivering rogue software that employs fear tactics to entice victims into purchasing bogus scanners. Many that fall into the type 3 category have also been associated with the Asprox botnet, which also happens to be largely implicated in spam and phishing scams.
With competing iniatives, one has to wonder how long it will be before the attackers turn on each other similar to the MyDoom/Bagle/Netsky email worm wars in early 2004.
Following is a list of active malware domains involved in SQL injection attacks during the first week of July:
adbtch.com
adupd.mobi
adwadb.mobi
adwste.mobi
adwsupp.com
aladbnr.com
allocbn.mobi
apidad.com
appdad.com
asodbr.com
aspssl63.com
aspx49.com
asslad.com
blcadw.com
blockkd.com
bnradd.mobi
bnrbase.com
bnrbtch.com
bnrcntrl.com
bnrupdate.mobi
browsad.com
brsadd.com
canclvr.com
catdbw.mobi
clrbbd.com
cntrl62.com
config73.com
cont67.com
csl24.com
datajto.com
dbupdr.com
debug73.com
default37.com
encode72.com
get49.net
hdadwcd.com
hlpgetw.com
kadport.com
ktrcom.com
loctenv.com
logid83.com
lokriet.com
mainadt.com
pid72.com
pid76.net
portadrd.com
portwbr.com
stiwdd.com
supbnr.com
suppadw.com
testwvr.com
ucomddv.com
upcomd.com
upgradead.com
web923.com
Mary Landesman
Reader Comments (1)
Hi ScanSafe,
When reporting on SQL injections could you make a clear distinction between the urls actually injected and those seen later in the cascade or the malware servers? Injected urls can be blocked with simple adblockers as a first line of defense. Could you also forward all newly noted injected urls to ShadowServer.org? They're trying to maintain an up-to-date list of injected urls and your "early warning system" detections would no doubt be of great help.