Hundreds of thousands of web pages infected with malicious JavaScript

Several security services have recently found hundreds of thousands of infected web pages. They all point to a Chinese server from where they retrieve a JavaScript designed to exploit vulnerabilities and slip visitors a trojan. Even pages owned by institutions like the United Nations (un.org) and the UK government (.gov.uk) are said to be affected.

According to an analysis by Websense, the malware tries to exploit a total of eight security holes to pass malicious code to the visitors of the pages unnoticed, for example via the VML hole already patched in January 2007. F-Secure has monitored attackers who tried to break into .asp and .aspx web pages by submitting the page parameters in an encrypted SQL query:

DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004[...]

Once decrypted, this is an SQL query designed to find all the text fields in the database behind the web page and inject JavaScript code into them:

DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b[...]

Both code snippets are only the beginning of the request. Administrators of servers delivering .asp or .aspx pages (like Microsoft's IIS) are advised to check their log files for similar entries and if necessary search their databases for injected links.

A Google search with the injected links produced more than 290,000 infected web pages.

Due to the increased automatic exploitation of server vulnerabilities, server operators should check their web presence for security deficiencies. Find tips and instructions for making your own web server secure in articles like Fuzzy ways of finding flaws or Basic security for PHP software on heise Security.

See also:

• Mass Attack JavaScript injection, Websense security advisory
• Mass SQL injection, F-Secure security alert

(trk)