In the ongoing onslaught of SQL injection attacks, roughly 70 attack domains have been identified since tracking began last October. Currently, ScanSafe is detecting about 3 new attack domains on a near daily basis. Most of these SQL injection attacks have defining characteristics that point to their being related to one another. One of the key behaviors in these attacks has been the avoidance of Chinese web sites in general, and Chinese government web sites in particular. One notable exception was the extremely short-lived nmidahena.com in April 2007, a domain quickly replaced by nihaorr1.com which targeted English-only pages. In addition to commonly avoiding Chinese sites, other similarities in the attacks include the tool used to render the compromise, domain registration similarities, references found on the malware hosts, correlating crossposting in various World of Warcraft forums, and other incestuous behaviors.

In a nutshell, the connections have led to much outward speculation that the attacks are coming from China and deliberately targeting English language web sites primarily in the U.S. and UK.

Given that, it was obviously interesting to read a report that 327,000 Chinese sites had been victimized by an alleged SQL injection attack. Now, there's no question that something occurred to a vast number of Chinese sites. The question is - was there ever real malware invoked by the compromise or was the attack itself designed to deflect attention away from the Chinese? After all, it's one thing to run a query in a search engine, see that 327,000 results are returned, manually follow the trail of the script, assume it's all real and publish details. But just viewing the source code on the compromised sites tells a different story - none of those examined were functionally able to render the script. And it appeared to have been deliberately malformed.

In many cases, an open comment tag preceded the script. In other cases, an extra end tag had been inserted causing the lines containing the script to be ignored. The end result, the alleged malicious script was nothing more than text on a page. It's as if the attackers wanted to show the world that China too was a victim, yet at the same time ensure that no Chinese users were actually victimized. Since none of the sites examined had a working compromise, the next step was to visit some of the sites to see if any attempt was made to contact the malware host. There was none. Here's a screenshot of one of the compromised sites as an example. Note that while there are dozens of script tags dumped in the body, none are in executable form:

Most of the pages impacted were those that accepted user generated content. The script immediately follows a TD title attribute, not something commonly used. The TD attribute title appears to have been added by the same tool responsible for the compromise - a technique that differs considerably from those involved in the other attacks.

The site used an anoynmous proxy redirect service, so the host location isn't discoverable, but the use of the .us suffix is certainly suspicious. Would most people in the U.S. even consider a .us suffix when registering a domain? Country-specific suffixes may be standard in other parts of the world, but in the U.S., we steer towards .com.