A new and fairly complex SQL injection attack that began in late November has already contaminated more than 125,000 Web sites with a Trojan known to harvest credit card and other banking information.

According to Internet security and monitoring firm ScanSafe, the injected iframe loads the first stage of malicious code from 318x.com. Then, a series of iframes and code redirections that are invisible to the user culminate with the silent installation of the offending code, Backdoor.Win32.Buzus.croo from windowssp.7766.org.

"The attack appears to be a work in progress," ScanSafe senior security research Mary Landesman wrote in a blog posting this week. "As we've been monitoring the malware scripts used in the final stage attacks, some scripts are being changed, some removed, and new ones being introduced."


Landesman said that many of the files have .jpg extensions, but are really just .js files. She added that ScanSafe so far hasn't found any evidence of what she called the "now almost obligatory" PDF exploits that are especially popular with hackers and malware mavens these days.

Instead, ScanSafe said the attacker is focusing on a hodgepodge of exploits including an integer overflow vulnerability in Adobe Flash Player, a Microsoft Office Web Components vulnerability, and an Internet Explorer uninitialized memory corruption flaw among others.

Most troubling, especially for companies that are continually behind the curve when it comes to fending off pesky and potentially disastrous SQL injection attacks, is that the Buzus family of Trojans usually are remotely controlled through an IRC backdoor and--according to ScanSafe--typically are engaged in credit card and other banking-related theft.

SQL injection attacks are a nightmare for IT administrators because they're extremely difficult to defend against in a live production environment and often require multiple patches to the installed database software.

Identification of this latest and particularly virulent SQL attack by antivirus software vendors has been less than stellar. According to a VirusTotal report, only 22 of 40 vendors, or 55 percent, are detecting the ever-changing variant.

Larry Barrett is a senior editor at InternetNews.com.  Based in Las Vegas, Larry covers IT management, enterprise software, services and security.