UPDATED: A massive cyberattack is targeting vulnerable Internet Information Server-based Web pages by redirecting visitors to the site toward one hosting malicious code, and it’s growing rapidly.
When Panda Security first noted the infestation, it put the number of infected IIS servers at 282,000. Less than a day later, security firm F-Secure wrote its own blog entry, putting the infestation at over 500,000.
Worse, these infestations don’t come through seamy Web sites — they are taking place in legitimate Web pages. A secretly embedded IFRAME
“In the old days, you used to think if you went to the dark side of the Internet, you had a chance of being infected,” said Ryan Sherstobitoff, chief corporate evangelist at Panda Security. “Now, you don’t need to go to the bad neighborhoods to get attacked. You can be walking down the good side of the Internet and be infected.”
The vulnerability is due to poorly-written SQL code that does not properly examine user input from a Web page form, experts said.*
When data is entered into a form, it’s up to the programmer to add “code scrubbing,” making sure that malicious code like this does not get added to the SQL database. In this case, however, the hackers are preying on Web page that don’t do code scrubbing.
Their malicious code adds an IFRAME to redirect the user to a malicious Web site, with JavaScript that scans their computer for a number of known vulnerabilities that Microsoft (NASDAQ: MSFT) has already patched. If the user’s computer is unpatched, the malicious site downloads and installs malware on their computer.
The problem has centered around IIS Web server in particular because the hackers are targeting Microsoft’s ASP pages, which have a strong connection to SQL Server, Microsoft’s database.
Sherstobitoff said the U.S. is being hardest hit, with government and public utility sites proving particularly popular targets.
“They love anything that brings in victims,” he said.
Panda and F-Secure both identified the malicious piece of code being hidden in Web pages that does the redirect. As a result, security experts are warning site admins to look for this hidden in their Web pages:
<script src=http://www.nihaorr1.com/1.js>
If that appears anywhere in your page, then you have a problem, as some people have noticed.
Securing the server with the latest patches and proper configuration should help protect it until Microsoft comes out with a fix of its own, Sherstobitoff said.
Also, experts recommended that users get their computers fully up to date using all available patches from Microsoft — so that even if they are redirected to the malicious site, the attacker won’t find any security holes to exploit.
*Corrects and updates prior version with information on how sites are infected.