Security Advisory - June 10, 2010
robint.us Mass Infection Affects Thousands of Websites
- The first transactions to ww.robint.us were seen on June 7, 2010 at 03:56 PT.
- Zscaler placed a block on the offending domain within the first 3 hours of the incident.
- To date, we have seen 1,071 transactions to ww.robint.us across 71 unique users on 64 unique source IPs.
- The ww.robint.us incident is considered a mass scale incident, given that several thousand websites were impacted. Despite that fact, our data shows that a very small pool of our users (well under 1%) actually had visited infected websites, meaning that generally speaking the infected websites were lesser-known sites that were not popular among our enterprise user base.
- Analyzing two of the binary executables involved in the attack, we’re able to confirm that both were additionally blocked by Zscaler’s inline anti-virus protection.
On Wednesday, ShadowServer (a Zscaler partner), with cooperation from GoDaddy and Neustar, began to sinkhole the robint.us domain. This effectively ended the attack as the domain is no longer accessible. While the infected pages still contain links to the malicious code, the code will no longer be returned. Many of the impacted sites remain vulnerable to subsequent SQL injection attacks and ShadowServer is making every effort to inform them of the situation so that they can patch their vulnerable code. While all sites are running Microsoft IIS 6.0 or 7.0 web servers, the SQL injection attack vectors appear to stem from vulnerable code at the application level as opposed to a weakness in the web server itself.
To recap, Zscaler customers were protected from this attack shortly after it began thanks to quick action by the Zscaler Labs team and our ability to quickly push protection to all global Zscaler Enforcement Nodes. While the attack has been neutralized, Zscaler will continue to monitor the situation, should still vulnerable sites become re-infected with additional malicious content. Should you have any questions about this attack please do not hesitate to contact Zscaler Customer Support.