According to an analysis by Websense, the malware tries to exploit a total of eight security holes to pass malicious code to the visitors of the pages unnoticed, for example via the VML hole already patched in January 2007. F-Secure has monitored attackers who tried to break into
.aspx web pages by submitting the page parameters in an encrypted SQL query:
DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b[...]
Both code snippets are only the beginning of the request. Administrators of servers delivering
.aspx pages (like Microsoft's IIS) are advised to check their log files for similar entries and if necessary search their databases for injected links.
A Google search with the injected links produced more than 290,000 infected web pages.
Due to the increased automatic exploitation of server vulnerabilities, server operators should check their web presence for security deficiencies. Find tips and instructions for making your own web server secure in articles like Fuzzy ways of finding flaws or Basic security for PHP software on heise Security.
- Mass SQL injection, F-Secure security alert