Tibet attack Trojan identified

A new SQL-based Trojan has been connected to the www.vnunet.com on pro-Tibet websites as well as the www.vnunet.com of site infections uncovered last month.

A pair of researchers are reporting that the 'Fribet' Trojan has spread among users by embedding itself in pro-Tibet websites by way of an SQL injection and then exploiting a browser vulnerability to remotely install and execute.

McAfee researchers Shinsuke Honjo and Geok Meng Ong reported on a company blog posting that the Trojan not only gives the attacker the ability to remotely control and perform installations on infected PCs, but it also provides the ability to receive SQL instructions.

This, the researchers say, can allow the attacker to use infected machines to host other web exploits.

"This Trojan apparently can be used as an alternate to SQL Injection attacks, but in a more direct way," they wrote.

"Even the administrators of secure websites, protected against common SQL injection attacks, should ensure database backends are equally secure to defend against such a penetration vector."

There are, however, some mitigating factors. At the time of the posting, the server that the infected machines connected to was not active, so computers running the Trojan were not being sent commands.

The researchers also noted that in order to host web exploits on a machine, an attacker would need extensive information on a machine's network configuration and user credentials. Researchers do, however, believe that such information could be obtained through Fribet's info-stealing components.