Mary Landesman, senior security researcher at ScanSafe believes that three major waves of SQL injection attacks may be linked, originating from the same attacker. Approximately 80,000 Chinese, 67,000 U.S., and 40,000 Indian websites are still infected by a botnet due to SQL injection attacks. At one point, millions of Chinese sites were compromised. Landesman says the attacks were the work of the same attacker because of similar domain name registration information and methods used.
“It’s the thread of the domain names being used,” Landesman says. Seven of these “mal-domains” — a term coined by Landesman to describe domain names used solely to build Internet infrastructure to spread malware or otherwise cause harm — were registered under the same name and address (which are clearly bogus, being not more than gibberish).
Most of the domains were registered to a major registrar, which is uncharacteristic of such attacks. Usually attackers choose lesser-known or less reputable registrars in order to slip through unnoticed. The problem is the system, Landesman says, which allows people to register domain names using completely false information with procedure for verifying identity.