Security Advisory - June 10, 2010

robint.us Mass Infection Affects Thousands of Websites

 

 

On Wednesday, June 9, numerous media outlets began publishing stories about a mass SQL injection attack against seemingly random websites. Initial reports incorrectly pegged the number of infected sites at over 100,000 and in some cases over one million. While the actual number now appears to be in the thousands, this does nonetheless constitute a mass infection. We have seen similar attacks in the past. Unfortunately, many websites remain vulnerable to SQL injection and these attacks are as simple as creating a script that scans for vulnerable pages and then indiscriminately injects a malicious payload, in this case a link to a Javascript file.

Zscaler first became aware of the situation on the morning of Monday, June 7 and immediately began blocking any attempt by a client machine attempting to pull content from the robint.us domain, which was hosting the malicious JavaScript used in the attack. Data mining of Zscaler's NanoLogs has revealed the following details about the attack:

  • The first transactions to ww.robint.us were seen on June 7, 2010 at 03:56 PT.
  • Zscaler placed a block on the offending domain within the first 3 hours of the incident.
  • To date, we have seen 1,071 transactions to ww.robint.us across 71 unique users on 64 unique source IPs.
  • The ww.robint.us incident is considered a mass scale incident, given that several thousand websites were impacted. Despite that fact, our data shows that a very small pool of our users (well under 1%) actually had visited infected websites, meaning that generally speaking the infected websites were lesser-known sites that were not popular among our enterprise user base.
  • Analyzing two of the binary executables involved in the attack, we’re able to confirm that both were additionally blocked by Zscaler’s inline anti-virus protection.

On Wednesday, ShadowServer (a Zscaler partner), with cooperation from GoDaddy and Neustar, began to sinkhole the robint.us domain. This effectively ended the attack as the domain is no longer accessible. While the infected pages still contain links to the malicious code, the code will no longer be returned. Many of the impacted sites remain vulnerable to subsequent SQL injection attacks and ShadowServer is making every effort to inform them of the situation so that they can patch their vulnerable code. While all sites are running Microsoft IIS 6.0 or 7.0 web servers, the SQL injection attack vectors appear to stem from vulnerable code at the application level as opposed to a weakness in the web server itself.

To recap, Zscaler customers were protected from this attack shortly after it began thanks to quick action by the Zscaler Labs team and our ability to quickly push protection to all global Zscaler Enforcement Nodes. While the attack has been neutralized, Zscaler will continue to monitor the situation, should still vulnerable sites become re-infected with additional malicious content. Should you have any questions about this attack please do not hesitate to contact Zscaler Customer Support.