HomeVulnerabilities
June 10, 2010, 9:45AM

Mass SQL Injection Attack Hits Sites Running IIS

There's a large-scale attack underway that is targeting Web servers running Microsoft's IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there's no clear indication of who's behind the campaign right now.

The attack, which researchers first noticed earlier this week, already has affected a few high-profile sites, including those belonging to The Wall Street Journal and The Jerusalem Post. Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites.

The massive campaign is targeting servers running Microsoft IIS and ASP.net software. The attack appears to be a variation of the ever popular SQL injection, in which malicious hackers uses malformed commands in order to insert code on vulnerable Web sites. Once the site is compromised, the malicious code then attempts to compromise the machines of visitors to the site and install malware on their PCs, as well.

Recommended Reads

Get News by Email!

This is an extremely popular attack vector that has been in wide use by a variety of attackers for the last few years and has been very successful, thanks to the shoddy state of Web security.

In the current attack on IIS-based sites, the malicious code is attempting to redirect visitors to a specific site, which then installs malware on the victims' machines. An analysis of the attack by Sucuri shows the details of the attack. Here's what the original Web request looks like:

2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C6152652040742076……..
6F523B2D2D%20eXEc(@s)– 80 – 121.xx.xxx.xx HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) – - www.website.com 200 0 0 32068 1685 0

Microsoft's Jerry Bryant told Bob McMillan of the IDG News Service that the attack doesn't exploit any vulnerability in IIS, but instead is an attack against third-party Web applications.

"The SQL injection attacks that allow the systems to be compromised are occurring due to vulnerabilities in third-party web applications and do not demonstrate vulnerabilities in Microsoft software," Bryant told McMillan.

Estimates of the scope of the SQL injection attack have ranged from a few thousand compromised sites to more than 100,000 sites.

Shorten URL: Click to copy short URL. Click to copy to clipboard or post to Twitter

Comments

Submitted by Dark Energy (not verified) on Thu, 06/10/2010 - 11:45am.

So what 3rd party software does this script affect?  Who needs to be concerned about this?  What software do these newspapers run?

Submitted by Anonymous (not verified) on Fri, 06/11/2010 - 1:59pm.

Dark Energy, SQL injection attacks can affect web sites that do not properly take in to account the possibility of SQL commands being injected in to the fields of a web site.  The third party being mentioned are the developer(s) of the sites affected.  

Submitted by Anonymous2 (not verified) on Fri, 06/11/2010 - 2:05pm.

This isn't a generic random SQL injection spam attack, Anon. Looking at the address line of "utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;" it seems blatantly targeted to a very specific application. Dark's question is: What application?

Submitted by Eddie (not verified) on Fri, 06/11/2010 - 2:15pm.

This is pretty easy to block with URLSCAN 3.1

You can use the MaxAllowedContentLength, MaxUrl, and MaxQueryString settings and/or
Drop anything with a Declare statement in it (not likely this is legit for most sites)

Submitted by Anonymous (not verified) on Fri, 06/11/2010 - 2:16pm.

Looks like google analytics....

Submitted by Anonymous (not verified) on Fri, 06/11/2010 - 2:24pm.
I've heard of this type of attack for many years. Why do programmers insist on writing SQL code which can be attacked in this way? Or is the code very old and unmaintained?
Submitted by Anonymous (not verified) on Fri, 06/11/2010 - 2:27pm.

This has nothing to do with IIS, a SQL injection is a developer fault.

Submitted by Anonymous (not verified) on Fri, 06/11/2010 - 2:28pm.
This is SQL injection, and you play it out as though it is a fault of IIS. If you actually knew anything about security you would know its just poorly written websites that are at fault. Without some level of competence, the average reader would deduce that "CRAPPY MS SOFTWARE FUHFUHFUH!"
Submitted by Anonymous (not verified) on Fri, 06/11/2010 - 2:28pm.
This is SQL injection, and you play it out as though it is a fault of IIS. If you actually knew anything about security you would know its just poorly written websites that are at fault. Without some level of competence, the average reader would deduce that "CRAPPY MS SOFTWARE FUHFUHFUH!"
Submitted by Anonymous (not verified) on Fri, 06/11/2010 - 2:30pm.
Comment'); DROP TABLE Comments; --I wonder if you sanitize your inputs on comments?
Submitted by Anonymous ' (not verified) on Fri, 06/11/2010 - 3:30pm.

asdasda

Submitted by Anonymous (not verified) on Fri, 06/11/2010 - 4:10pm.

Believe me, the MS software is still crappy!  SQL injection is stil a problem of coding though

Submitted by Me (not verified) on Fri, 06/11/2010 - 5:22pm.

This is not a new attack. It is very old, and just being re-applied.  (And, it has nothing to do with Microsoft or IIS.  It's a fault of poor programming!) 

The SQL Injection is rewriting your page's < title > tags and adding a javascript file which references the malicious unpacker code on a third party server.

Big?  yes. Effective?  yes.  Stoppable?  Completely.  You need to clean your SQL before allowing it to be posted to the database.  Use Stored Procedures!

Submitted by Josh from america (not verified) on Fri, 06/11/2010 - 6:03pm.

Ah, more windows users get burned, no suprise. This is another round of the darwin awards, wooo! Get em steve b, burn those customers lol.

Submitted by Mark D. (not verified) on Fri, 06/11/2010 - 7:48pm.

Only poorly written MS SQL and Sybase applications are vulnerable to this particularly severe type of attack, due to the way both databases allow statements to be combined.  

Poorly written applications for other databases are vulnerable to SQL injections as well (predicate modification mostly), but are not vulnerable to this type of attack, where an attacker can get the database to execute arbitrary SQL statements, because other databases do not allow SQL statements to be combined in the same willy nilly fashion.

Submitted by Anonymous (not verified) on Fri, 06/11/2010 - 9:07pm.
Asprox worm style stupidity. Not new.
Submitted by Anonymous (not verified) on Mon, 06/14/2010 - 8:18am.

It is impossible to prevent sql injection attacks as long as web apps are coded improperly. Databases must be monitored as a second line of defense so intrusions can be detected and alarmed.  

Submitted by Anonymous (not verified) on Mon, 06/14/2010 - 11:20am.

Your headline names Microsoft IIS web server software even though this is completely unrelated to Microsoft or IIS. It's a vulnerability in code written by a 3rd party that runs on Microsoft platforms. It could just as easily been a script written to run on Apache.

But I guess a headline naming the vulnerable 3rd party doesn't get as much clickthrough traffic. Good job throwing away any integrity you have. A++ Kudos. Much easier than writing good content.

 

Kevin, you are my journalism HERO.

Submitted by Anonymous (not verified) on Mon, 06/14/2010 - 1:10pm.

easy to really find out how many have been compromised, you just need to find the code of one containing the javascript that is fetching the malware, and then do a google search including key phrases. the results could astound you

Submitted by MoMo (not verified) on Thu, 06/17/2010 - 11:09am.

Perhaps the idea behind name dropping IIS is the idea that a good majority of the time IIS is running MSSQL.  With in mind -- who/whatever is pushing out these sql injections is going directly after MSSQL structure.  With that in mind, how many Apache servers run MS SQL.  So it's fair in thinking that because they are more-over targeting MSSQL ... therefore IIS ... therefore Microsoft ... therefore ... I'll stop there.  Just my two cents.

Submitted by StareClips.com (not verified) on Sat, 06/19/2010 - 1:33am.

By the way, for those saying that using stored procedures is "enough" to solve a SQL injection problem, keep in mind that more thought still needs to go into it.

For instance, I have seen some stored procs which accept a varchar parameter which is a comma delimited list of numbers. Then, concatenates this parameter with a SQL statement (i.e., plugging the comma delimited list of numbers within a "WHERE IN (1,2,3)" statement)... and executes this with sp_executesql then this still allows a SQL injection problem even when stored procedures are used.

So, much more thought than simply "use stored procs" needs to be applied. Just sayin'...

Submitted by Anonymous (not verified) on Wed, 07/14/2010 - 5:45am.

 

Show me your all moneyl 8023263  U.S.dollar.Thank you ,please give me I don't  know you, Lv Man ,miss u,forever. Two years, said in my all life , city of  ruzhou I miss  you  come here  look out!   张少锋 测试 

 

Post new comment

The content of this field is kept private and will not be shown publicly.

Kaspersky Lab Channel and Alliance Partners

 

 

Copyright © 2010 threatpost.com | Terms of Service | Privacy