Here we go again, the Fake AV criminals have come up with a new attack, the SonicWALL research team has received reports of a mass SQL injection infecting millions of websites. It is likely that the back-end databases of these websites were compromised leading to this SQL injection.
Malicious script codes were inserted and being served in webpages which when triggered redirects to malicious links that serves FakeAV malware.
The following are some of the reported Malicious URLs inserted on compromised webpages:
• alexblane(dot)com/ur.php
• alisa-carter(dot)com/ur.php
• books-loader(dot)info/ur.php
• lizamoon(dot)com/ur.php
• milapop(dot)com/ur.php
• t6ryt56(dot)info/ur.php
• tadygus(dot)com/ur.php
• Worid-of-books(dot)com/ur.php
All of these URLs resolve to single IP: 91.213.29.182
SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:
• GAV: ScrInject.UR (Trojan)
• GAV: Suspicious#asprotect (Trojan)
If you don’t have a SonicWALL with the Gateway AntiVirus (or Comprehensive Security Suite), it is just a matter of time until this pops up on your network. Be prepared or better yet, contact IFix Computers for a SonicWALL that will protect your network.
Until we meet again, have a Fake AV free week!
pls send me the signature of scrinject.ur (Trojan)
You need to check with your anti-virus provider.
McAfee does not appear to have anything to block this. It appears they want you to have a hardware device like a SonicWall to block this.