There’s a large-scale attack underway that is targeting Web servers running Microsoft’s IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there’s no clear indication of who’s behind the campaign right now.
The attack, which researchers first noticed earlier this week, already has affected a few high-profile sites, including those belonging to The Wall Street Journal and The Jerusalem Post. Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites.
The massive campaign is targeting servers running Microsoft IIS and ASP.net software. The attack appears to be a variation of the ever popular SQL injection, in which malicious hackers uses malformed commands in order to insert code on vulnerable Web sites. Once the site is compromised, the malicious code then attempts to compromise the machines of visitors to the site and install malware on their PCs, as well.
This is an extremely popular attack vector that has been in wide use by a variety of attackers for the last few years and has been very successful, thanks to the shoddy state of Web security.
In the current attack on IIS-based sites, the malicious code is attempting to redirect visitors to a specific site, which then installs malware on the victims’ machines. An analysis of the attack by Sucuri shows the details of the attack. Here’s what the original Web request looks like:
2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx
utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C6152652040742076……..
6F523B2D2D%20eXEc(@s)– 80 – 121.xx.xxx.xx HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) – –
www.website.com 200 0 0 32068 1685 0
Microsoft’s Jerry Bryant told Bob McMillan of the IDG News Service that the attack doesn’t exploit any vulnerability in IIS, but instead is an attack against third-party Web applications.
“The SQL injection attacks that allow the systems to be compromised are
occurring due to vulnerabilities in third-party web applications and do
not demonstrate vulnerabilities in Microsoft software,” Bryant told McMillan.
Estimates of the scope of the SQL injection attack have ranged from a few thousand compromised sites to more than 100,000 sites.
