Last Updated: 2008-03-17 14:59:16 UTC
by Kevin Liston (Version: 5)
Successful exploitation result in the installation of a password-stealing malicious program that attempts to steal the logon credentials from websites and online games.
Recommended immediate action:
Block 2117966.net at your web proxy.
Recommended follow-up action:
Inspect your web proxy logs for visitors to 2117966.net. This will indicate who is potentially exposed. Check these systems to verify that their patches are up-to-date. Systems that are successfully compromised will begin sending traffic to 220.127.116.11
(Source: http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080313). Search your proxy logs for systems generating those requests and reimage the infected machines.
The CSS Security Team as Microsoft has released details on how the code was injected into the servers. It's an automated script that exploits poor input-checking code in the ASP page.
A more rigorous description and how to protect your ASP from SQL injection is available here:
Update: Added additional exploit information
Update: Clarify that shadowserver is not the endpoint of the malicious traffic-- they provided that malware analysis (thanks guys)
Update: MS fills in the blanks on how the code was injected.