Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

De la Théorie à la pratique





















Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Zscaler: robint.us Mass Infection Affects Thousands of Websites

June 2010 by Zscaler

On Wednesday June 9, numerous media outlets began publishing stories about a mass SQL injection attack against seemingly random websites. Initial reports incorrectly pegged the number of infected sites at over 100,000 and in some cases over one million. While the actual number now appears to be in the thousands, this does nonetheless constitute a mass infection. We have seen similar attacks in the past. Unfortunately, many websites remain vulnerable to SQL injection and these attacks are as simple as creating a script that scans for vulnerable pages and then indiscriminately injects a malicious payload, in this case a link to a Javascript file.

Zscaler first became aware of the situation on the morning of Monday, June 7 and immediately began blocking any attempt by a client machine attempting to pull content from the robint.us domain, which was hosting the malicious JavaScript used in the attack. Data mining of Zscaler’s NanoLogs has revealed the following details about the attack:

• The first transactions to ww.robint.us were seen on June 7, 2010 at 03:56 PT.

• Zscaler placed a block on the offending domain within the first 3 hours of the incident.

• To date, we have seen 1,071 transactions to ww.robint.us across 71 unique users on 64 unique source IPs.

• The ww.robint.us incident is considered a mass scale incident, given that several thousand websites were impacted. Despite that fact, our data shows that a very small pool of our users (well under 1%) actually had visited infected websites, meaning that generally speaking, the infected websites were lesser-known sites that were not popular among our enterprise user base.

• Analyzing two of the binary executables involved in the attack, we’re able to confirm that both were additionally blocked by Zscaler’s inline anti-virus protection.

On Wednesday, ShadowServer (a Zscaler partner), with cooperation from GoDaddy and Neustar began to sinkhole the robint.us domain. This effectively ended the attack, as the domain is no longer accessible. While the infected pages still contain links to the malicious code, the code will no longer be returned. Many of the impacted sites remain vulnerable to subsequent SQL injection attacks and ShadowServer is making every effort to inform them of the situation so that they can patch their vulnerable code. While all sites are running Microsoft IIS 6.0 or 7.0 web servers, the SQL injection attack vectors appear to stem from vulnerable code at the application level as opposed to a weakness in the web server itself. To recap, Zscaler customers were protected from this attack shortly after it began thanks to quick action by the Zscaler Labs team and our ability to quickly push protection to all global Zscaler Enforcement Nodes. While the attack has been neutralized, Zscaler will continue to monitor the situation, should still vulnerable sites become re-infected with additional malicious content. Should you have any questions about this attack, please do not hesitate to contact Zscaler Customer Support.




See previous articles

    

See next articles