Fraudware via SQL injection?

Nope, no surprise there.

Cite: http://blogs.technet.com/mmpc/archive/2008/10/17/sql-injection-new-approach-for-win32-fakexpa.aspx

Check out the exploits being used:

* MDAC remote code execution (MS06-014)
* ShockwaveFlash.ShockwaveFlash.9 exploit
* WebViewFolderIcon setSlice() exploit (MS06-057)
* Msdds.dll exploit (MS05-052)
* Microsoft Works exploit (MS08-052)
* Creative Software AutoUpdate Engine exploit
* Online Media Technologies NCTsoft NCTAudioFile2 ActiveX buffer overflow
* Ourgame GLWorld GLIEDown2.dll exploit
* DirectAnimation.PathControl buffer overflow (MS06-067)

As for the comment by the blog author, Yuhui Huang, that "when [he] tried the same exploit destination, it had already stopped serving malicious content. When [he] launched the first stage downloader, the control server stopped giving instructions to download the second stage installer. Strange…", some things come to mind.

* IP blocking (it has been known for fraudware/malware sites to only allow malicious behavior once per IP address)
* blocking via cookies
* other content caching

Published Sun, Oct 19 2008 15:38 by sandi

Filed under: Security, safety and privacy on the Internet, Vulnerabilities, viruses and exploits

Spyware Sucks

Blog Recent Posts

Syndication

Search

News

Blog Archive List

Tag Cloud

Fraudware via SQL injection?