New SQL-based Trojan Detected on Pro-Tibet Sites

Two Websites supporting Tibet suffered a malware attack that could lead to attack on remote or local databases on a visitor's computer, McAfee discovered.

On the McAfee Avert Labs blog, McAfee declared that it identified the malware as the Fribet Trojan. This malware was planted on the Websites favoring Tibet, possibly by exploiting a Vector Markup Language vulnerability (MS07-004) that Microsoft patched in early 2007. When users visiting the pro-Tibet sites got infected, the Fribet Trojan would open a backdoor component on the hijacked computers.

Geok Meng Ong and Shinsuke Honjo, McAfee Researchers, reported via a posting on one of its company blogs that the Trojan performs a couple of harmful activities. First, it enables the attacker to control the infected PC from a distance and installs programs. Secondly, it enables the infected computer to receive SQL commands, as reported by vnunet on April 11, 2008.

With these abilities, the attacker could use the infected systems to host additional Web exploits, say the researchers.

They wrote that the Trojan could be potentially used in place of SQL injection attacks and more directly.

The researchers also warned that even secure Websites that are safeguarded from the typical SQL injection attacks, the administrators should ensure that backends of databases are equally protected from such a piercing vector.

Schmugar said that the malware is different because it seeks databases that the hijacked PC might be accessing. If a person is having a database pertaining to administration, with which a host site was created, then other sites could also be potentially infected The infection could also lead to compromise of any database the user accesses, as reported by SC MAGAZINE on April 11, 2008,

Schmugar said that unlike the generic backdoor, this malware is the first kind he knows that has the specific SQL code making attempts to access databases.

According to the researchers, hosting of exploits on any system would require the attacker to know all information about the network configuration of the system as well as the user's credentials all that the info-stealing Fribet could help in obtaining.

Related article: New Zealand Releases Code To Reduce Spam

» SPAMfighter News - 4/17/2008