Up to 130,000 websites have been compromised by a ‘Trojan cocktail' being distributed by mass SQL injections.
Mary Landesman, senior security researcher at ScanSafe, claimed that the massive compromise has been active since the 3rd August and the first company detection was almost two weeks ago on the 14th August.
Landesman claimed that the potent Trojan cocktail consists of backdoors and password stealers and it is installing malware that includes the Gologger keystroke logging Trojan and a backdoor that attempts to connect to a remote website hosted in China.
Landesman told SC Magazine that it had seen 64,000 English language sites that had been compromised, while there is another attack in China on Chinese language sites. Landesman said: “Both combined brings the total to around 130,000 but that is a conservative estimate, we are trying to track this but it is very time consuming. In both attacks the malware is different but the intent is the same.
“It is not the same variant in all cases, actually a whole different family of Trojans but we don't know why this is.”
Landesman claimed that it is working from compromised pages, and the SQL injection is showing no solid download or anything that is visible for users.
“It is designed to fly under the radar and to make it happen using a dozen or more exploits from Adobe Reader to the Flash Player, to Internet Explorer vulnerabilities, it is determining what the user runs that the script is able to ascertain what it can exploit,” said Landesman.
“There is 64-65,000 now compromised, it is difficult to say, it depends on the webmasters taking action as whenever you see exploitation of websites they tend to be more prolonged as the sites do not have security staff.”
In a further update, Landesman claimed that it appears that the attackers may be managing geographical waves of the attacks by dividing up the malware domains by region. While the end stage malware consists of backdoors and data theft Trojans, the exact malware used also appears to be dependent on region.