Per ISC diary, SQL injection attack against ASP website and MSSQL are happening. We can find the following string embedded in the web page of victim sites.

    ""></title><script src="hxxp://"></script>" 


(Figure 1: from ISC diary's comment)

The link inside the malicious "sl.php" changes often:"hxxp://");

But we know it will redirect to other hopping sites belong to IP address( :

  • hxxp://
  • hxxp://
  • hxxp://
  • and more...

And get the content as follows:

    <meta http-equiv="refresh" content="0;url=hxxp://" />

Finally, you will see the fake AV scanning page(Figure 2) and lure people to download the installer, the detection rate is rarely low about 16%.


(Figure 2) 

The detailed attacking paths are as follows:

[script] hxxp://

      [hop] hxxp://

      [hop] hxxp://

      [hop] hxxp://

          [download] hxxp://


Detection rate in VirusTotal (7/43): 


Since 02/12/2011,  AegisLab WebGuard can block these malicious sites. 

By AegisLab