Malware Domains Used in the SQL Injection Attacks

May 22, 2008
Whereas the value of these malicious domains lies in the historical preservation of evidence, as long as hundreds of thousands of sites continue operating with outdated and unpatched web applications, the list is prone to grow on a daily basis, thanks to copycats and the Asprox botnet. The Shadowserver Foundation's list of malicious domains used in the SQL injection attacks :

nihaorr1.com
free.hostpinoy.info

xprmn4u.info
nmidahena.com
winzipices.cn
sb.5252.ws
aspder.com

11910.net
bbs.jueduizuan.com
bluell.cn

2117966.net
s.see9.us
xvgaoke.cn
1.hao929.cn
414151.com
cc.18dd.net

kisswow.com.cn
urkb.net
c.uc8010.com
rnmb.net
ririwow.cn
killwow1.cn
qiqigm.com
wowgm1.cn
wowyeye.cn
9i5t.cn
computershello.cn
z008.net
b15.3322.org
direct84.com
caocaowow.cn
qiuxuegm.com
firestnamestea.cn
qiqi111.cn
banner82.com s
meisp.cn

okey123.cn
b.kaobt.cn
nihao112.com
al.99.vc
aidushu.net
chliyi.com

free.edivid.info
52-o.cn
actualization.cn

d39.6600.org
h28.8800.org
ucmal.com
t.uc8010.com
dota11.cn

bc0.cn
adword71.com
killpp.cn

w11.6600.org
usuc.us
msshamof.com
newasp.com.cn

wowgm2.cn
mm.jsjwh.com.cn
17ge.cn
adword72.com
117275.cn

vb008.cn
wow112.cn
nihaoel3.com

Some new additions that I'm tracking :

a.13175.com
r.you30.cn
d39.6600.org
001yl.com
free.edivid.info
aaa.1l1l1l.Com/error/404.html
cc.buhaoyishi.com/one/hao5.htm?015
aaa.77xxmm.cn/new858.htm?075
llSging.com/ww/new05.htm?075

shIjIedIyI.net/one/hao8.htm?005

congtouzaIlaI.net/one/hao8.htm?005
aa.llsging.com/ww/new05.hTm?075

The rough number of SQL injected sites is around 1.5 million pages, in reality the number is much bigger, and there are several ongoing campaigns injecting obfuscated characters making it a bit more time consuming to track down. Who's behind these attacks? Besides the automation courtesy of botnets, the short answer is everyone with a decent SQL injector, and today's SQL injectors have a built-in reconnaissance capabilities, like this one which I assessed in a previous post.

About the author

Dancho Danchev is the world's leading expert in the field of cybercrime fighting and threat intelligence gathering having actively pioneered his own methodlogy for processing threat intelligence leading to a successful set of hundreas of high-quality anaysis and research articles published at the industry's leading threat intelligence blog - ZDNet's Zero Day, Dancho Danchev's Mind Streams of Information Security Knowledge and Webroot's Threat Blog with his research featured in Techmeme, ZDNet, CNN, PCWorld, SCMagazine, TheRegister, NYTimes, CNET, ComputerWorld, H+Magazine currently producing threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge. With his research featured at RSA Europe, CyberCamp, InfoSec, GCHQ and Interpol the researcher continues to actively produce threat intelligence at the industry's leading threat intelligence blog - Dancho Danchev's - Mind Streams of Information Security Knowledge publishing a diverse set of hundreds of high-quality research analysis detailing the malicious and fraudulent activities at nation-state and malicious actors across the globe.