ScanSafe has reported a massive compromise impacting 57,000 legitimate sites. When users visit the infected Web pages, they are greeted with a truckload of password stealers and other Trojans.
firm ScanSafe has uncovered a campaign that has compromised more than 57,000
Websites in a bid to dump gallons of malware on users' computers.
, the sites are being infected with a malicious iFrame via
SQL injection. The iFrame in turn loads what ScanSafe Senior Security
Researcher Mary Landesman described as a "potent Trojan cocktail consisting of backdoors,
password stealers and downloader" on the compromised Web pages.
The iFrame points to an
intermediary exploit site that loads additional exploits and malware from up to
seven different malware domains.
"Analysis of the malware
binaries indicates possible origin in China," Landesman told eWEEK. "However,
SQL injection is a global problem, and certainly China is also a victim of these types of
attacks. Currently, ScanSafe is tracking a separate wave of compromises
involving SQL injection in which only Chinese Websites appear to be targeted.
There are about 70,000 compromised Websites in China resulting from those
When ScanSafe first
reported the attack Friday, it noted that roughly 55,000 sites were impacted.
The victimized sites include feedzilla.com, latindiscover.com, and sites for
several charitable and nursing facilities.
The malware is installed
silently, Landesman said, and is currently directed at Windows PCs only.
Such mass compromises are
not uncommon. In June, Websense detected the so-called
"Nine Ball" compromise
, which impacted more than 40,000 Websites. In
addition, ScanSafe uncovered a similar campaign earlier this year known as Gumblar.