It would appear that we have a developing issue originating from various locations in China for the past few days that we (security researchers) are still piecing together.

Over at the SANS Internet Storm Center, John Bambenek has posted (and also provided at least one update at this hour) a daily handler’s diary entry explaining that that they have had reports of a possible SQL worm, involving some domains, JavaScript, and URLs that first popped up on our threat radar on Monday (5 May 2008) morning.

Trend Micro has already proactively blocked access to these malicious domains and URLs (and the associated malicious “back-channel” background activity) while we push out a pattern update for malicious file and JavaScript detection.

Having said that, that’s the beautiful thing about hybrid Web Threat Protection (WTP) — we shrink the “time-to-exploit” window immediately by breaking the infection chain.

For now, please be assured that we are burning the midnight oil working on these issues, and will update this blog post as more details become clear. For now, please refer to the SANS ISC Daily Handler’s Diary for details, and we’ll post more as this developing incident unfolds.

One further note: While the numbers are only in the ~4,000 to ~5,000 range (still not small!), there are some very high-profile Web sites that seem to have been compromised in this attack.

PLEASE DO NOT GO SEARCHING FOR WEB SITE COMPROMISES. In this particular case, if you are not adequately prepared and protected, you can become a victim of your own curiosity.

“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research

Image source: Fugato.net

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!