Mass Infection of IIS/ASP Sites

Published: 2010-06-09
Last Updated: 2010-06-12 13:40:35 UTC
by Deborah Hale (Version: 1)
8 comment(s)

Sucuri.net has released a report about a large number of sites that have been hacked and contain a malware script.  A quick Google today indicates that
there are currently 111,000 sites still infected.  It appears that this  is only impacting websites hosted on Windows servers.  The situation is being investigated.

For those who are hosting there websites on Windows IIS/ASP you may find more information here.

 http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html

http://nsmjunkie.blogspot.com/2010/06/anatomy-of-latest-mass-iisasp-infection.html - link removed...it triggers some Anti-virus.

 Update: Paul  at Sophos logs has released some additional information regarding this exploit and Infection. Thanks Paul.

 http://www.sophos.com/blogs/sophoslabs/?p=9941

Deb Hale Long Lines, LLC

8 comment(s)

Comments

This is the same malware as here http://www.sophos.com/blogs/sophoslabs/?p=9941

and yes I am the author :)

Paul Baccas SophosLabs
Would someone pls clarify:

ww-dot-robint-dot-us -OR- www-dot-robint-dot-us

// BLOCK which? or both?
Never mind...
- http://www.theregister.co.uk/2010/06/09/mass_webpage_attack/
"... Robint.us has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out.."

Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers
- http://www.shadowserver.org/wiki/pmwiki.php/Calendar/20100609
9 June 2010
.
Please keep in mind that the IIS/ASP server is still vulnerable to the same type of attack. It's not a problem with IIS or ASP, but with the actual code "in" the ASP page.

In the below example from http://blog.sucuri.net/2010/06/mass-infection-of-iisasp-sites-robint-us.html, the field "utm_content" on the page "page.aspx" is the one that allowed the SQL injection to take place (output of IIS log truncated for readability):
2010-06-07 13:31:15 W3SVC1 webserver 192.168.1.10 GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe%
Block Both one redirects to the other.
Adobe 0-day used - mass injections
- http://community.websense.com/blogs/securitylabs/archive/2010/06/11/adobe-0-day-used-in-mass-injections.aspx
11 Jun 2010 05:38 PM - "... we started seeing mass injections... The attack is closely related to the hxxp ://ww.robint .us/[REMOVED].js attack earlier this week... common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the -new- mass injection attack still have the robint.us code present... Adobe released a patch* for this vulnerability yesterday and we advise all users to download it immediately... Once for IE and a second time for all other browsers."
(Screenshots and video available at the Websense URL above.)

Flash v10.1.53.64 update
* Direct download current version - executable Flash Player installer...
For IE: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player_ax.exe
For Firefox, other browsers: http://fpdownload.adobe.com/get/flashplayer/current/install_flash_player.exe

.
I wrote a detailed analysis here, including tools used, attacker group, etc: http://blog.armorize.com/2010/06/recent-evolution-of-mass-sql-injection.html

Diary Archives