SQL Attacks delivering EXEs and SWFs

Our colleagues at SANS detailed an SQL attack overnight. An affected website contains a script tag pointing to a remote site hosting w.js
(SophosLabs have updated Mal/Badsrc-C to detect that link).

The good news is that Sophos already proactively detects the malicious payload at the end of this attack.

rondll32.exe — Mal/Heuri-D
f[0-9]*.swf — Exp/SWFScene-A

SophosLabs are currently looking to add detection for the intermediate pages (w.js, office.htm etc.) as well as blocking the sites for the WS1000.

Posted on August 9th, 2008 by Pob, SophosLabs, UK
Filed under: General, Malware

About SophosLabs

SophosLabs protects businesses from known and emerging malware - viruses, rootkits and spyware - and other computer threats like phishing, spam and scams. Learn more about the people who write this blog.

RSS feed

SophosLabs blog