Blast from the (recent) Past
Starting from the beginning of this week, we have been getting several reports about sites being injected by a malicious script... Seems a new mass SQL injection campaign started, targeting web applications running over Microsoft IIS and ASP.Net, for a change (<- sarcasm).
As of this writing, over 100,000 sites__ have already been tampered with to include some links to a malicious server (eg. hxxp://ww.xxxxx.us/u.js), which hosts a web exploit toolkit; the toolkit is of course aiming at compromising all visitors' systems via browsers flaws.
2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe%20@s%20vArChAr(8000)%20sEt%20@s=0x6445634C6152652040742076…….. 6F523B2D2D%20eXEc(@s)– 80 – 121.xx.xxx.xx HTTP/1.1 Mozilla/4.0+(compatible;+MSIE+7.0;+Windows+NT+5.1;+.NET+CLR+1.1.4322) – - www.website.com 200 0 0 32068 1685 0
This is an HTTP GET request issued by the attacker (probably a bot) to pass some Transact-SQL statement through a non-properly sanitized (thus vulnerable) variable in the web application. The SQL code is:
dEcLaRe @s vArChAr(8000) set @s=0x6445634C6152652040742076……..6F523B2D2D eXEc(@s)–
Does this remind you of something ? Back in 2009, Guillaume Lovet and I talked about SQL injection at the VirusBulletin conference and posted some entries on our blog. Well, this new campaign is using exactly the same scheme.
We don´t think this kind of attacks are targeted, but rather rely on the "scale effect". They are likely automated, bot-powered and template based; a search engine like Google is used to find victims and then crawlers are used to brute-force ASPX pages.
Now, the question is, is it the same gang who's behind both campaigns? Or are we dealing with a copy-cat culprit, who decided to leverage a well-known but efficient attack template?
Fortinet customers are protected using Fortiguard IPS that detects malicious SQL queries in HTTP requests.