Mass Malware Hack

2010-06-15

Dan Goodin, The Register, reports that more than 1,000 pages belonging to a wide range of domains were compromised in a recent quick moving SQL injection attack, including 17 pages on idera.com with one page ironically titled "Understanding SQL Server Security Options".

The article states that the domains compromised in the attack cause Users who visit the website links to connect to a server that tries to install malware on their PCs. Goodin writes "The mass attack is similar to one that struck at least 7,000 webpages earlier this week. They work by injecting database commands into search boxes and other user input fields on the sites. Because the underlying web applications fail to properly filter the content, they get passed to the site's backend server, where they are executed. The result is an iframe in the page that silently redirects users to a drive-by download site."

Goodin says that the latest SQL injection attack pulls down a malicious javascript from 2677.in which, according to anti-virus firm Symantec, downloads a serious threat dubbed "HTTP Microsoft IE Generic Heap Spray BO."

David Dede, head of malware research at Sucuri, a website monitoring firm blogged that all the sites appear to be using Microsoft's Internet Information Services using ASP.net. Dede says that the vulnerability is caused by individual web applications running on that platform rather than the platform itself.