On Wednesday, ShadowServer (a Zscaler partner), with cooperation from GoDaddy and Neustar, began to sinkhole the robint.us domain. This effectively ended the attack as the domain is no longer accessible. While the infected pages still contain links to the malicious code, the code will no longer be returned. Many of the impacted sites remain vulnerable to subsequent SQL injection attacks and ShadowServer is making every effort to inform them of the situation so that they can patch their vulnerable code. While all sites are running Microsoft IIS 6.0 or 7.0 web servers, the SQL injection attack vectors appear to stem from vulnerable code at the application level as opposed to a weakness in the web server itself.
To recap, Zscaler customers were protected from this attack shortly after it began thanks to quick action by the Zscaler Labs team and our ability to quickly push protection to all global Zscaler Enforcement Nodes. While the attack has been neutralized, Zscaler will continue to monitor the situation, should still vulnerable sites become re-infected with additional malicious content. Should you have any questions about this attack please do not hesitate to contact Zscaler Customer Support.