Robint.us – Case Study In Mass Website Infection

There have been numerous reports about the IIS/ASP SQL injection compromises that redirected users to ww.robint.us. See below for reading on this incident:

• http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html
• http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html
• https://www.shadowserver.org/

However, many of these posts do not discuss what was seen in terms of impact to actual users. Zscaler has millions of users from around the globe that use our cloud service. From our pool of users, this is what we saw:

• The first transactions that we saw to ww.robint.us were on June 7, 2010 at 03:56 PT.
• Zscaler became aware of and placed a block on the offending domain within the first 3 hours of the incident. Zscaler's inline A/V solution had signatures to detect the payload used prior to the attack.
• To date, we have seen 1071 transactions to ww.robint.us across 71 unique users on 64 unique source IPs. Of the source IPs, 74% were from the United States, 6.5% from India, were from 4.3% from Germany, and the remaining 15.2% were spread across 7 other countries - illustrating the indiscriminate nature of the webserver attacks.

The ww.robint.us incident is considered a mass scale incident given that several thousand websites were impacted and used to redirect users to the malicious JavaScript. However, our data shows that a very small pool of our users (less than 1% of 1%) actually had attempted transactions to ww.robint.us, meaning that generally speaking the infected websites were fairly unpopular among our enterprise user base.

The below graph charts the transactions, source IPs and users impacted over time. Close to 50% (48.7%) of the transactions and 25% of the users that we saw were in the first 3 hours of the incident.