SANS solves mystery of mass Web site infections

by Jeremy Kirk

April 17, 2008 —

The SANS Institute has uncovered
what they've termed a "rare gem" as far as computer security investigations
go that sheds new light on how up to 20,000 Web sites have been hacked since
January.

They found a sneaky software tool that uses Google's search engine to hunt
for Web sites running certain kinds of vulnerable applications, wrote
Bojan Zdrnja, on the institute's blog.

"While we had a general idea about what they do during these attacks,
and we knew that they were automated, we did not know exactly how the attacks
worked, or what tools the attackers used," Zdrnja wrote.

When the tool finds a site that is vulnerable, it kicks into action. "The
exploit just consisted of an SQL statement that tried to inject a script tag
into every HTML page on the web site," Zdrnja wrote.

That SQL statement was crafted to target Web sites running Microsoft's Internet
Information Server and SQL Server. Once compromised, the Web sites were then
rigged to serve malicious software to visitors using JavaScript, which tried
various exploits based on known software vulnerabilities.

Among the malicious programs served up was a password-stealing program for
the game "Lord of the Rings Online," security vendor McAfee said last
month.

SANS said the software tool also reports to a server based in China, a feature
that may be used to count the number of infections in order for the person using
the tool can get paid, Zdrnja wrote. The tool may have other functions, but
SANS is still analyzing it.

Among the victims from these attacks were the Web sites of security vendor
Trend Micro
as well as CA.

IDG News Service