Actu
Zscaler: robint.us Mass Infection Affects Thousands of Websites
June 2010 by Zscaler
On Wednesday June 9, numerous media outlets began publishing stories about a mass SQL injection attack against
seemingly random websites. Initial reports incorrectly pegged the number of infected sites at over 100,000 and in some
cases over one million. While the actual number now appears to be in the thousands, this does nonetheless constitute a
mass infection. We have seen similar attacks in the past. Unfortunately, many websites remain vulnerable to SQL
injection and these attacks are as simple as creating a script that scans for vulnerable pages and then indiscriminately
injects a malicious payload, in this case a link to a Javascript file.
Zscaler first became aware of the situation on the morning of Monday, June 7 and immediately began blocking any
attempt by a client machine attempting to pull content from the robint.us domain, which was hosting the malicious
JavaScript used in the attack. Data mining of Zscaler’s NanoLogs has revealed the following details about the attack:
• The first transactions to ww.robint.us were seen on June 7, 2010 at 03:56 PT.
• Zscaler placed a block on the offending domain within the first 3 hours of the incident.
• To date, we have seen 1,071 transactions to ww.robint.us across 71 unique users on 64 unique source IPs.
• The ww.robint.us incident is considered a mass scale incident, given that several thousand websites were
impacted. Despite that fact, our data shows that a very small pool of our users (well under 1%) actually had
visited infected websites, meaning that generally speaking, the infected websites were lesser-known sites that
were not popular among our enterprise user base.
• Analyzing two of the binary executables involved in the attack, we’re able to confirm that both were additionally
blocked by Zscaler’s inline anti-virus protection.
On Wednesday, ShadowServer (a Zscaler partner), with cooperation from GoDaddy and Neustar began to sinkhole the
robint.us domain. This effectively ended the attack, as the domain is no longer accessible. While the infected pages still
contain links to the malicious code, the code will no longer be returned. Many of the impacted sites remain vulnerable to
subsequent SQL injection attacks and ShadowServer is making every effort to inform them of the situation so that they
can patch their vulnerable code. While all sites are running Microsoft IIS 6.0 or 7.0 web servers, the SQL injection attack
vectors appear to stem from vulnerable code at the application level as opposed to a weakness in the web server itself.
To recap, Zscaler customers were protected from this attack shortly after it began thanks to quick action by the Zscaler
Labs team and our ability to quickly push protection to all global Zscaler Enforcement Nodes. While the attack has been
neutralized, Zscaler will continue to monitor the situation, should still vulnerable sites become re-infected with additional
malicious content. Should you have any questions about this attack, please do not hesitate to contact Zscaler Customer
Support.
