Researchers at SANS have discovered how thousands of Web sites were compromised earlier this year. As a result of the break-ins countless users' computers were infected with malware.
Back in January, thousands of sites running Internet Information Server (IIS) and SQL Server were cracked by what at the time was thought to be some sort of SQL injection attack. As it turns out that is exactly what happened.
While reviewing malicious files served up by a particular server, researchers at SANS stumbled upon an attack tool that revealed exactly what was being done to crack the affected sites. According to the analysis provided by researcher Bojan Zdrnja, the tool queries Google to discover sites that are potentially vulnerable. The tool then tries to launch SQL injection attacks against each identified site. The tool's interface is written in Chinese and also had logic that attempted to contact a site in China to record transaction data.
A SANS blog reader, Nathan, wrote to elaborate on the nature of the SQL query itself. According to Nathan, the query used by the tool iterates through all tables to find specific types of columns and then appends data to existing column field data. The data then appears as part of Web pages at affected sites.
The SANS blog entry has links to a number of Web pages that can help administrators secure their sites against SQL injection attacks.