So, the SQL injections of last month are still going and on the increase. At (11am SAST) Google's index had 1 070 000 infected pages. Not all of these are from the same source, or load the same malware. However, they have the same basic principle:
generic SQL injection -> Javascript -> infect visitors
Several of the sites in South Africa I've been watching have been re-infected. I spoke to several of the admins, but it seems they are just restoring from backup and not fixing the root cause. The domains currently being injected and containing the malicious Javascript are:
- nihaorr1.com
- 2117966.net
- aspder.com
- haoliuliang.net
- nmidahena.com
- free.hostpinoy.info
- xprmn4u.info
- winzipices.cn
- wowgm1.cn
- killwow1.cn
- wowyeye.cn
Although, new ones are coming to my attention fairly quickly at the moment. For example, wowgm1.cn was re-injected over winzipices.cn on a few pages. The 'wow' range seem to be related, as they are re-infecting pages with a new URL. On the point of re-injections, it seems some are overwriting each other in funny ways, for example, the following was found on one page (*'s added):
<script src=http://www.2<script src=h**p://www.2117966.net/f*ckjp.js></script>
It bother's me that the security industry (particularly in SA) doesn't seem to have cottoned on to this as a widespread pervasive attack. Shadowserver (one, two) seems to be the only ones getting close to the problem, but even SANS is treating these as seperate events. There is only basic protection at the moment, if you click through from some of these sites (10%?) in Google, you will get a Malware warning. Continuing to the site anyway prevents me due to Firefox's security setting (which shares the same list from Google, i.e. stopbadware.org).
Given how successfull the exploitation of such an 'old' vulnerability, it is likely we are only going to see more (and better executed) versions of this in the next few months (years?). Hitting over a million pages with a pretty lame attack, that only targets Microsoft SQL is fairly impressive. If they just modified their SQL to work on MySQL or Postgres I'm sure we would seem more than a million more hit. It is interesting to note that it has taken this long from someone to try and 'monetise' SQL injections, as it has been around for a while (8 years?). My guess is that it will take less time for bad guys to do the same with XSS & CSRF, but that Microsoft's default request validation will save some of us, but not because dev's have cottoned on.