With the growing concern with numerous vulnerabilities, just this afternoon, Trend Micro Research Project Manager, Ivan Macalintal, stumbled on a somewhat regional fallout of this SQL injection in India threading through numerous compromised government, tourism, popular media, and other sites. We have identified the following new URLs leading to more malware that made it into unknowing users’ systems while visiting sites where the malicious script injection was found and identified:

• http://lsg.kerala.gov.in
• http://www.lsg.kerala.gov.in
• http://www.bangaloremirror.com
• http://www.mumbaimirror.com
• http://www.kolkatamirror.com
• http://www.mumbaipluses.com
• http://education.indiatimes.com
• http://www.kolhapurbusiness.com
• http://www.bizxchange.in
• http://timesascent.in
• http://www.studio3india.com
• http://www.timesascent.co.in
• http://www.mumbaibusinessdirectory.in
• http://www.tourindianow.org
• http://www.bizxchange.in
• http://www.maharashtradirectory.com

Based on Trend Micro threat analyst Joseph Pacamarra‘s initial findings, the Trojan detected as TROJ_AGENT.HOZZ has only been seen so far in two domains, jatrja.com and js.tongji.linezing.com. Figure 1 below shows how users can get infected.

Trend Micro product users need not fret though as Smart Protection Network already protects users from these threats but should still be wary of the sites they visit as the final malware payload seems to be a new type of information stealer.

Update as of 17 July 2009, 16:00

Trend Micro threat analyst Joseph Pacamarra confirms that the number of websites compromised in this attack is 6,810 and rising.