SQL attack continues to infect Web sites
Posted On Friday, January 11, 2008 at at 1/11/2008 11:28:00 PM by nullA Web attack that compromises vulnerable Web pages and installs a snippet of code to redirect visitors to a malicious site in China continued to spread this week, according to security experts.
The attack, which started at the end of December and was first mentioned on Chinese sites, infects Web sites running Microsoft's Internet Information Server Web software and MS SQL database software, according to the Internet Storm Center, a network-monitoring group run by the SANS Institute. Compromised sites are seeded with iframe code that redirects visitors to two sites in China, uc8010.com and ucmal.com, that attempt to execute a relatively old exploit for RealPlayer via Javascript.
While the attack is "massive and ugly," according to independent security researcher Dancho Danchev, it has also been very successful. The number of Web pages apparently affected by the attack has continued to rise over the past week. A Google search for parts of the iframe code currently returns nearly 100,000 pages for each domain. While Google search results are not an accurate way to measure the spread of malicious software, they can be a good indicator of the trend of an attack.
Given the success in seeding the redirection code on legitimate Web servers, the use of an old RealPlayer exploit in the attack puzzled some security experts.
"It is weird," said Roger Thompson, chief research officer for antivirus maker AVG. "I think the simplest explanation is is that they found a really good server side exploit, but didn't think the rest of the attack through."
The attack appears, in many ways, similar to last year's compromises that, among other victims, hit the Web site of Super Bowl venue Dolphin Stadium, adding an iframe redirect to sites hosting malicious code. This year, security firm Computer Associates was reportedly among the victims.
Both domains used in the attack are only a few weeks old. The uc8010.com domain was registered on December 28, and the ucmal.com domain was registered on Deceember 21, according to the Whois database.