Freely subscribe to our NEWSLETTER

In the attack, first reported by Armorize Technologies, MySQL.com, a legitimate Web site, was hacked and serving malicious JavaScript that created an invisible iframe. The iframe enabled a drive-by download attack that was hosted on servers external to the MySQL.com site.

The attack utilized not only sites that are known to be part of the Shnakule malnet but new exploit and payload servers as well. The attack host was one of many malicious sites on a server that WebPulse had already categorized and blocked as a malware host, proactively protecting users from the attack that launched three days later. In the five days that the server has been in use, Blue Coat Security Labs has identified 81 different malware sites on this server.

Nearly 400,000 people visit MySQL.com per day, which provides cybercriminals with a high profile, potentially lucrative target. Among the pages targeted by the iframe injection were several pages documenting database administration, so a successfully executed attack could deliver malware designed to locate additional database credentials and locations on the victim’s system. Such information would give the cybercriminal access to a wealth of potentially sensitive information and the ability to compromise additional systems.

The Shnakule network averages around 2,000 unique host names per day with as many as 5,708 in a single day. On an average day, the WebPulse service logs more than 21,000 requests into that malnet. Shnakule has traditionally been active with fake anti-virus attacks conducted via search engine poisoning, but has lately expanded into new types of attacks. In July, the malnet launched a malvertising attack. Blue Coat logged 15,000 user requests related to that attack.

The WebPulse collaborative defense provides proactive protection against new malware attacks for 75 million users worldwide.