This SANS handler diary entry discusses one of the automation tools used in the SQL injection attacks we've seen so much of lately. These include the search cache poisonings that were so ubiquitous throughout March.

The entry led with a link to their post on the mystery host server compromises first reported by ScanSafe. The context for inclusion of that link (http://isc.sans.org/diary.html?storyid=3834) wasn't made clear. This led to assumptions that the SQL injection tool that SANS was discussing was the tool used in the host server compromises, as seen in this article: "Security gumshoes locate source of mystery web compromise".

In fact, the two are unrelated. SANS was kind enough to post an update to clarify this. That update reads, in part:

"First, let me clarify that this attack is a pure SQL injection. There was another mass attack at the beginning of the year which was more sophisticated and involved complete compromise of the web servers (i.e. the bad guys had the root access to the servers).
The tool described in this diary was used in the attack described in Kevin's diary (http://isc.sans.org/diary.html?storyid=4139)."

In other words, not the attacks discussed in Mari's SANS diary entry @ http://isc.sans.org/diary.html?storyid=3834.

On April 3, Trend Micro had also reported on the use of automated tools in the ongoing SQL injection attacks. It's not clear whether SANS is reporting on the same tool or a different one. What's interesting is that the tool(s) native language is Chinese, casting some doubt on claims that the recent round of SQL injection attacks are originating in Russia.

Now getting back to the still unsolved mystery web host compromise, we continue to block malware resulting from those host server attacks and the investigation into the source of those attacks is still ongoing. The situation has improved dramatically though. In March, the blocks from the host server attacks represented .3% (that's point three percent) of all malicious traffic, down from a high of 15% (fifteen percent) when the attacks were first reported in January.