Must reads: If you do anything today…

Two recently published articles are definitely worth a read.

Microsoft SQL Injection advisory
In a previous post [1], I discussed the fact that the recent surge in SQL injection attacks warranted more attention, to alert administrators to the issue. Without some form of alert, the work required to assess pages and update to defend against the attacks simply would not be scheduled. This week I am pleased to see that Microsoft have released an advisory (954462) [2].

Where does all the bad stuff come from?
An interesting report from has been published [3] which highlights the network blocks responsible for hosting the bulk of the malicious sites. Perhaps unsurprisingly, China tops the list hosting 52% of the malicious sites. The data they report reflects quite closely that we have been seeing, and reported in our 2008 threat report [4].

Out of curiosity, I took another look at the last 25 domains we have identified that are hosting the malware loaded by the script tags inserted into legitimate pages in the SQL injection attacks, and probed where they where hosted. Interestingly, China does not feature here – the USA tops the list, closely followed by Venezuela and Canada. Why is this? Most likely because these sites are being hosted on compromised machines – we have already reported that several of the domains have been identified as using fast-flux techniques [5].


Note: this is the countries hosting the sites from where the malicious content is loaded. Previously [6], I looked at the countries hosting the sites that have been hit by the injection attacks.