Security Warning: Mass SQL Injection
Attack Targets ASP.NET Sites
Hackers have successfully planted
about 180,000 web pages that are built on the Microsoft ASP.Net
platform. The malicious script is using a
"drive-by download" that does not require any user action (no need to
open a file or click on a link) other than visiting a webpage that has
injected. Web sites that you know and
trust might have been affected. The
attacks take advantage of poorly configured or secured Web servers and
those compromised pages as jumping-off points for second-phase attacks
visitors to the sites.
As of this writing, only a few of
the most popular
antivirus vendors can detect the dropped malware.
Warning: Websites compromised.
(A "warning" alert is for a situation that are currently occurring or
conditions are right for the situation to occur soon.)
Severity: High. Drive-by download with no user
How Are Systems Compromised?
The script causes browsers to load
an iframe with the
phase two web site, www3.strongdefenseiz.in (126.96.36.199) or
www2.safetosecurity.rr.nu (188.8.131.52). The
iframe then attempts to plant malicious software
on the visitor's PC
via various drive-by exploits that require no user interaction and
user's knowledge. The attacks are using
exploits, for which patches are available, for the drive-by exploits.
The malicious script is programmed
to update the sites
hosting phase two website. We suspect
that there are other malicious web sites:
The account used to host the updating list has been
blocked. So the authors can no longer
update the list of hosts for the second phase of the attack.
Managed Care Customers
Services has blocked access to the second phase web
sites in the web content filters for all systems under Managed Care.
How Do I Protect My Computer?
Since the malicious web sites are attempting to
exploit vulnerabilities for which there are patches available, make
sure that your computers have up-to-date patches installed, especially
for Java and Adobe Reader.
Note that those patches are not installed by Microsoft update and
require some other method to install.
Note also that if you are following the best practice of not running as
a local administrator, automatic updating of Java and
Adobe Reader might not happen until you log on your PC as an
administrator. So, log on as an
administrator and make sure
that all patches are installed. You can
verify that your computer has no known vulnerabilities by running a
free scan using the Secunia Online Software Inspector (OSI).
If you need assistance installing protection from
this vulnerability or a security assessment, IT Professional
Services can help. Call our
If you do not have network edge
protection that can do
web content filtering, ITPS has a Unified Threat Management (UTM)
service that can provide that protection. To
schedule a free 30-day trial of the UTM gateway, contact us.
out more about our Managed
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.