In conjunction with the potent cocktail of trojans resulting from last Friday's report of ~ 55,000 SQL injection attacks, ScanSafe STAT has also been tracking a similarly composed series of SQL injection attacks occurring in China. Currently the malicious source references on the compromised Chinese websites include:

script src=http://3god.ne%74/c.js
script src=http://hi8.ss.la/c.js
script src=http://tt99lov.cn/0.js
script src=http://yuesha.com/yqt/n.js
script src=http://ag268.com/x.js
script src=http://whjiadian.com/x.js

The source scripts load exploit code from an intermediary site, df5fdd.3322.org. Examples include:

http://df5fdd.3322.org/aa/a100.htm
http://df5fdd.3322.org/aa/index.htm
http://df5fdd.3322.org/aa/nyntd14.htm
http://df5fdd.3322.org/aa/nyntdfll.htm
http://df5fdd.3322.org/aa/of.htm
http://df5fdd.3322.org/aa/nyntdi.htm
http://df5fdd.3322.org/aa/huoh.htm

Successful exploit leads to the silent installation of malware binaries from mstsc2005.com and www.twin-2009.com.

Although the end stage malware differs, the attacks share many commonalities with and appear to be related to the 55,0000 compromises reported last Friday. Both attacks also appear to be related to a similarly configured series of SQL injection attacks impacting India websites in July.

Additional domains used in the attacks include:

yyreg4.2288.org
gjhhgjghjhkj.3322.org
59-34-198-113.3322.org
mstsc2005.com/
wowyesgo.info

df5fdd.3322.org resolves to 59.34.197.135, an IP also used by avipa.3322.org, dfretr.7766.org, vviipp.3322.org and dsfrtr5465.3322.org.

bvgg6.cn and gjhhgjghjhkj.3322.org point to 59.34.197.151.

wowyesgo.info reverses to customer.krypt.com; nhaej.com, gamecj.com, gaehh.info, car963.info, and car741.info point to the same IP.

It appears the attackers may be managing geographical waves of the attacks by dividing up the malware domains by region. And while the end stage malware consists of backdoors and data theft trojans, the exact malware used also appears to be dependent on region.

It's interesting to remember that in late June, SQL injection attacks on Chinese websites led to the public exploit of a year-old vulnerability in Microsoft ActiveX which had (at the time) never been patched. As reported at the time, "The original attacks observed for the injected 3b3.org script pointed to exploit code on vip762.3322.org which attempted to install malware from xin765.com. The exploit site then shifted to vpsvip.com, with malcode hosted on rtrt66.3322.org and milllk.com."

Those SQL attacks are related to the same SQL injection attacks we've just been discussing, with apparent targeting of India websites beginning in mid-July followed by the apparent targeting of English language websites (predominantly U.S., Canada, U.K. and South Africa) in early to mid August.