By Scott M. Fulton, III, Betanews
One of the more bizarre architectural elements of HTML that may still be excused with the phrase, "This behavior is by design," is the ability for a floating text frame using the <IFRAME> element to be rendered effectively invisible (or so miniature as to not be seen), and then to run JavaScript code. It's a trigger for a disaster; and pressing that trigger tens of thousands of times today is a particularly virulent SQL injection attack, the evidence of which can be detected through a simple Google search: Wednesday afternoon, Betanews discovered about 82,800 compromised pages appearing in Google's index just for one of the actual malicious triggers -- probably just a fraction of the actual number of cases. And there are multiple triggers.
The plague was first reported last Friday by security services provider ScanSafe. In an update filed today, its engineers report that as the number of infected sites grows, their geography becomes more pronounced instead of less. It's as if the source of the injection, whatever it is, is targeting Chinese sites.
A similar attack occurred in the spring of last year, once again appearing to target Chinese sites. Once infected, the sites deliver <IFRAME> code to their users that starts the download of executable binary code, and apparently even launches that code. Last May, security researchers discovered a new round of SQL injection attacks, also appearing to target China.
While some security software firms have posited the theory that malicious sources outside China are targeting that country in response to reports that it is supporting suppressions of ethnic-related uprisings, a more viable theory is that the latest wave -- like the May 2008 wave discovered by Armorize Technologies, a security firm with assets in China -- are also based in China as well.
Though the motivation behind this latest attack was not known, the most plausible theory presented for the motive in the May 2008 attack came from Trend Micro: Information that the malicious payload sent back to its host indicated that the host was hunting for data related to gaming, perhaps finding statistics about players' assets holdings in virtual worlds. Armed with that information, a malicious gamer could conceivably manipulate entire virtual economies.
BETACHECK
For more:
"SQL Injection Attacks by Example" by Steve Friedl, a brilliant but straightforward essay demonstrating exactly how a typical SQL injection attack is carried out.
"Using UrlScan" -- Documentation from Microsoft on setting up and running UrlScan 3.0 utility with IIS 7.0.