Another mass compromise through SQL injection attack (yet again). The yet agains and anothers keep coming, right? This time, unlike its predecessors that use relatively old and known (and patched) exploits, the attack introduces a new kid on the block: in the form of what looks like a zero-day exploit taking advantage of an unknown vulnerability in Adobe Flash Player, allowing malicious users to install malware on affected PCs.
Well, this one already has a lot of history in it. Mass compromises are the month of May’s major stories. TrendLabs discovered them happening to Web sites everywhere from a huge portion of the Asian region (see here and here) to those in the Italian language. We have seen these mass compromises occurring just mere days from one incident to the next (besides the links above, more information can be read in our blog).
Certain legitimate sites were found to have been injected with scripts that silently lead browsers to sites hosting exploits for the Flash vulnerability/ies. Upon meeting certain system conditions that allow the exploitation to commence, PCs download and execute malware detected as TROJ_WIESSY.J and WORM_OTWYCAL.BO.
TrendLabs detects the malicious script as HTML_DLDR.BF, and the .SWF files as SWF_DLOADER.YVM and SWF_DLOADER.YVN. SWF_DLOADER.YVM downloads more files detected as SWF_DLOADER.YVN. Meanwhile, SWF_DLOADER.YVN exploits the vulnerability Integer Overflow in Adobe Flash Player Allows Remote Arbitrary Code Execution to download files initially detected as TSPY_UPACK.D and TROJ_DROPPER.NAK. The downloaded files later changed, now detected as TROJ_WIESSY.J and WORM_OTWYCAL.BO.
Remarkably, the related domains in this attack spoof the domain name of a legitimate and well-known telecommunications corporation as well as that of a popular online game. Other domains are lkjrc and woai117 (both belonging to–surprise, surprise–.cn).
Trend Micro Web Threat Protection (WTP) already blocks access to the malicious domains involved in this attack.
Our engineers are analyzing this attack further. Updates will be posted as soon as more information becomes available. As of this writing, we are still seeing several new malicious domains that are hosting .SWF files exploiting the Adobe Flash Player bug.
Updated as of May 29, 2008, 4:00am PST