9 August 2008 15:56 GMT
SQL Attacks delivering EXEs and SWFs
Our colleagues at SANS detailed an SQL attack overnight. An affected website contains a script tag pointing to a remote site hosting w.js
(SophosLabs have updated Mal/Badsrc-C to detect that link).
The good news is that Sophos already proactively detects the malicious payload at the end of this attack.
- rondll32.exe — Mal/Heuri-D
- f[0-9]*.swf — Exp/SWFScene-A
SophosLabs are currently looking to add detection for the intermediate pages (w.js, office.htm etc.) as well as blocking the sites for the WS1000.
Pob, SophosLabs, UK
