Zero Day

Ryan Naraine and Dancho Danchev

Over a million web sites affected in mass SQL injection attack

By Dancho Danchev | October 19, 2011, 4:10am PDT

Summary: Security researchers from Armorize have intercepted a mass SQL injection attack, targeting ASP ASP.NET websites.

Security researchers from Armorize have intercepted a mass SQL injection attack, targeting ASP ASP.NET websites.

The mass infection, redirects users to a web malware exploitation kit, attempting to exploit vulnerabilities in Adobe PDF or Adobe Flash or Java, with the dropped malware having a low detection rate.

Mass SQL injection attacks usually take place through active search engines reconnaissance (SQL Injection Through Search Engines Reconnaissance; Massive SQL Injections Through Search Engine’s Reconnaissance - Part Two; Massive SQL Injection Attacks - the Chinese Way) followed by automatic exploitation of the vulnerable sites.

Of the two SQL injected domains nbnjkl.com and jjghui.com, only nbnjkl.com is currently active and responding. The campaign is directly related to the Lizamoon mass SQL injection attacks, as the same email that’s been used to register Lizamoon domains is currently used to register nbnjkl.com and jjghui.com.

Users are advised to take advantage of NoScript in order to protect themselves from this, and many other Web based threats.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Hacking group from Nepal posts 10,000 stolen Facebook accounts online

New Mac OS X malware disables Apple's malware protection

Topics

Web, Researcher, SQL, Web Site, SQL Injection, Microsoft SQL Server, Web Site Development, Programming Languages, Security, Internet, Software Development, Software/Web Development, Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Full Bio
Disclosure
Contact

Vendor HotSpot

Here to help you with your Document Management Needs

Read the DocuMentor blog now

Learn More »

Talkback Most Recent of 15 Talkback(s)

Follow via:: RSS; Email Alert

RE: Over a million web sites affected in mass SQL injection attack

You do realize the difference between "search hits" and "sites affected", right? As an extreme example, what if google returned 1M hits but they all happened to be on example.com? What conclusion can we draw?
forrestgump2000@...
19th Oct
- Reply to
- Flag
RE: Over a million web sites affected in mass SQL injection attack

@forrestgump2000@... We can likely draw the conclusion that Dancho was under the gun to post up an entry quick and made an honest mistake. It's more accurate to refer to it as "pages affected".
ejhonda
19th Oct
- Reply to
- Flag
RE: Over a million web sites affected in mass SQL injection attack

Does anyone still uses ASP ASP.NET?

Apparently so.

PS. Keep Windows and it's technologies off the edge.
Return_of_the_jedi
19th Oct
- Reply to
- Flag
Of course

@Return_of_the_jedi
Because SQL injection only happens with ASP and ASP.NET.

It's not like it could be done in any language on a poorly coded website, is it? So much for a jedi...
crazydanr@...
19th Oct
- Reply to
- Flag
RE: Over a million web sites affected in mass SQL injection attack

@Return_of_the_jedi

http://www.pcworld.com/businesscenter/article/223457/mysql_website_falls_victim_to_sql_injection_attack.html
davidp_1978
20th Oct
- Reply to
- Flag
RE: Over a million web sites affected in mass SQL injection attack

http://voguecatch.us
ksdghi`
19th Oct
- Reply to
- Flagged
Adobe strikes again

I've had two infections on my machine in the last 12 years. Both were Adobe related. After the first one I took Adobe off my systems. The state then required you to use genuine Adobe to fill in tax forms and I got bit again. Now we load Adobe, do the tax work and uninstall Adobe.
mswift@...
19th Oct
- Reply to
- Flag
RE: Over a million web sites affected in mass SQL injection attack

@mswift@... That's just a ham-fisted solution to the problem. You should just do all your tax forms in a virtual machine if you're going to be that way. :/
ZazieLavender
19th Oct
- Reply to
- Flag
RE: Over a million web sites affected in mass SQL injection attack

@ZazieLavender
How many updates would it take to get a year old version of Adobe up to current security spec???
mswift@...
19th Oct
- Flag
RE: Over a million web sites affected in mass SQL injection attack

@mswift@... Sounds like you're using outdated Adobe software , update to the current latest (10.1.X) and enable it's "Protected View" setting for files from suspecious locations.
MrElectrifyer
19th Oct
- Reply to
- Flag
just do it on a mac

@mswift@...
stay away from Windows & your problem will be solved
theo_durcan
1st Nov
- Reply to
- Flag
Let me see if I have this right:

For future reference, it's NotScripts, or some equivalent, on Chrome (and its variants). I stopped using Firefox a long time ago. I have been using a variant and most extensions hit a brick wall. Even if I did use a stock version, I wouldn't trust it. (Testing? WE don't need no stinking testing.)

Only presenting one of a (long) list of options rather than one that actually helps most people is throwing people under the bus. Heck, you should have most of this boiler-plated by now. When I was a SysOp on C$, and an SA/CIO (Acting) for the Navy, I had them all on tap. Guess the web makes people stupid these days.
Brian J. Bartlett
19th Oct
- Reply to
- Flag
RE: Over a million web sites affected in mass SQL injection attack

here is list of online SQLi Scanners: http://www.insecurestuff.in/2011/10/online-sqli-scanners.html
ankit319
21st Oct
- Reply to
- Flag
SQLi Scanners

Here is List of SQLi Scanners: http://www.insecurestuff.in/2011/10/online-sqli-scanners.html
ankit319
21st Oct
- Reply to
- Flag
Revealed: Use NoScript, and...

...plenty of sites don't work.
AsifHussain1
1st Nov
- Reply to
- Flag