The recent SQL Injection attack campaign that was discussed this week in the press caught my attention a couple of weeks ago. The attack vector used is quite common these day, in fact, it has been very popular for about the past 18 months. However, during the 4 weeks that we have been monitoring this attack campaign, we have seen the attacks coming from 60 different servers which are all located in China. This is quite unusual as most previous campaigns had attack vectors coming from bots all over the globe.

Another concern gave me pause. As of yesterday (more than 4 weeks after the first infection attempt) the malware distribution sites at: http://a0v.org/ and http://js.tongji.linezing.com were still up and running, counting more than 1,250,000 downloads!

The latter site is hosted on a machine that bares the domain of "alimama.com." Interestingly enough, looking at Google's SafeBrowsing diagnostic information for both domains we see no current warnings about malicious activity.

Wondering through some of the web's back allies I've also recently found a list of Google Dorks that judging by the content, and the activity we see, may be the ones used by the infection agents to look for potential vulnerable sites and mount the SQL Injection attacks.My advice: be careful out there! SQL Injection is here to haunt us; we must have our defenses in place.

- Amichai