Fraudware via SQL injection?
Nope, no surprise there.
Check out the exploits being used:
* MDAC remote code execution (MS06-014)
* ShockwaveFlash.ShockwaveFlash.9 exploit
* WebViewFolderIcon setSlice() exploit (MS06-057)
* Msdds.dll exploit (MS05-052)
* Microsoft Works exploit (MS08-052)
* Creative Software AutoUpdate Engine exploit
* Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow
* Ourgame GLWorld GLIEDown2.dll exploit
* DirectAnimation.PathControl buffer overflow (MS06-067)
As for the comment by the blog author, Yuhui Huang, that "when [he] tried the same exploit destination, it had already stopped serving malicious content. When [he] launched the first stage downloader, the control server stopped giving instructions to download the second stage installer. Strange…", some things come to mind.
* IP blocking (it has been known for fraudware/malware sites to only allow malicious behavior once per IP address)
* blocking via cookies
* other content caching