Thousands of websites have been hit by an SQL attack according to security experts. They added that although some sites had been cleaned, others continued to serve visitors a malicious script that tries to hijack their PCs using multiple exploits.
"This was a pretty good mass hack," said Thompson in his blog, Exploit Prevention. "It wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared."
Symantec cited reports by other researchers - including one identified only as "websmithrob" - that fingered a SQL vulnerability as the common thread.
"The sites [were] hacked by hacking robot by means of a SQL injection attack, which executes an iterative SQL loop [that] finds every normal table in the database by looking in the sysobjects table and then appends every text column with the harmful script," said websmithrob in a blog post.
"It's possible that only Microsoft SQL Server databases were hacked with this particular version of the robot since the script relies on the sysobjects table that this database contains."
Hacked sites included both .edu and .gov domains, the SANS Institute's Internet Storm Center (ISC) reported in a warning posted last Friday. The ISC also reported that several pages of security vendor CA's website had been infected.
Grisoft's Thompson said that his research had identified a 15-month-old vulnerability as one of those exploited by the attack code. The exploit, he said, targeted the MDAC (Microsoft Data Access Components) bug patched in April 2006 with the MS06-014 security update.
"They went to the trouble of preparing a good website exploit, and a good mass hack but then used a mouldy old client exploit. It's almost a dichotomy," said Thompson.
Another surprise, Thompson said, was the speed of the hack's cleanup. Although a Google search still showed thousands of sites infected with the script on Saturday, Thompson claimed that Grisoft's LinkScanner Pro tool indicated that nearly all had actually been scrubbed.
"I found that really surprising [that they were cleaned so quickly]," he said in an interview via instant messaging on Sunday. "They're all so disparate. If it was a big server farm, I could understand it being cleaned so quickly, but there doesn't seem to be anything common about them all."
However, many of those sites - which as of this morning numbered more than 93,000, according to a quick Google search - had not been cleaned.
"It looks like a bunch of these are still carrying the references to [the malicious domain] but not infectively," said Thompson. "In other words, they're still hacked, but the injection hasn't worked properly."
Microsoft was not immediately available for comment on the SQL Server vulnerability used by the mass hack.
Return to internet news headlines
View Internet News Archive