Mass Infection of IIS/ASP Sites

Published: 2010-06-09
Last Updated: 2010-06-12 13:40:35 UTC
by Deborah Hale (Version: 1)
8 comment(s) has released a report about a large number of sites that have been hacked and contain a malware script.  A quick Google today indicates that
there are currently 111,000 sites still infected.  It appears that this  is only impacting websites hosted on Windows servers.  The situation is being investigated.

For those who are hosting there websites on Windows IIS/ASP you may find more information here. - link triggers some Anti-virus.

 Update: Paul  at Sophos logs has released some additional information regarding this exploit and Infection. Thanks Paul.

Deb Hale Long Lines, LLC

8 comment(s)


This is the same malware as here

and yes I am the author :)

Paul Baccas SophosLabs
Would someone pls clarify:

ww-dot-robint-dot-us -OR- www-dot-robint-dot-us

// BLOCK which? or both?
Never mind...
"... has been disabled, thanks to a sinkholing effort carried out by volunteer security outfit Shadowserver Foundation. The action will allow Shadowserver researchers to get a complete list of compromised sites and to gather additional information about how the attack was carried out.."

Shadowserver Sinkholing domain associated with SQLi attacks on IIS/ASP web servers
9 June 2010
Please keep in mind that the IIS/ASP server is still vulnerable to the same type of attack. It's not a problem with IIS or ASP, but with the actual code "in" the ASP page.

In the below example from, the field "utm_content" on the page "page.aspx" is the one that allowed the SQL injection to take place (output of IIS log truncated for readability):
2010-06-07 13:31:15 W3SVC1 webserver GET /page.aspx utm_source=campaign&utm_medium=banner&utm_campaign=campaignid&utm_content=100×200′;dEcLaRe%
Block Both one redirects to the other.
Adobe 0-day used - mass injections
11 Jun 2010 05:38 PM - "... we started seeing mass injections... The attack is closely related to the hxxp ://ww.robint .us/[REMOVED].js attack earlier this week... common theme was that all Web sites were running on Microsoft IIS and used ASP.NET. In fact, the majority of sites compromised by the -new- mass injection attack still have the code present... Adobe released a patch* for this vulnerability yesterday and we advise all users to download it immediately... Once for IE and a second time for all other browsers."
(Screenshots and video available at the Websense URL above.)

Flash v10.1.53.64 update
* Direct download current version - executable Flash Player installer...
For IE:
For Firefox, other browsers:

I wrote a detailed analysis here, including tools used, attacker group, etc:

Diary Archives