A true text-book SQL Injection attack took place on the web those past few weeks. It compromised between 70,000 and 100,000 high-profile websites ranging from government agencies to IT Security vendors, and probably thousands of individuals visitors were infected with some older exploits.

It all started when a malicious script set up exploring public websites looking for vulnerable web forms. If the form's backend database was Microsoft SQL Server, the attacking script would then submit a booby-trapped set of data containing some malicious SQL statements the database will be forced to run.

The specific malicious statement used in that attack forces the database to go through its sysobjects table, a critical part of SQL Server giving access to the database structure. It then automatically looks for and update text records. At this stage, whenever those records will be called, the web server will add an HTML line calling a malicious Javascript code located on a hub server owned by the attackers. A cookie is even set in the process to manage the infections.

From now on, each compromised website will drop the Javascript upon its legitimate visitors, and that code will in turn contact several China-based servers to pull a series of rather traditional browser exploits. If successful in compromising the visitor's PC, those exploits can then be leveraged to install the classical mix of malwares and adwares. 

The attack, while very successful on the server-side, strangely relied on older client-side exploits and thus might not have been equally successful in compromising visitors. Still, it's a massive blow against legitimate and often authority websites, and as such it should be taken very seriously. Future attacks of this kind might not be as permissive with their client-based exploits.  

At the time of writing, Google still shows over 150,000 pages presenting the call to the the malicious Javascript, and the attacker's hub domain is still live. Experts estimate that over 70,000 unique websites were compromised during the last few weeks.

According to Exploit Prevention Lab's Chief Research Officer Roger Thompson, however, Google's indication might be out of date and the websites are being cleaned up quite rapidly. 

From a user's point of view, such an attack is quite unstoppable since it takes place within the host server. Only its by-products - namely the browser side exploits - can be detected. Up-to-date system patches and antivirus, and possibly some sort of generic anti-exploitation tool like sandboxing or browser privileges control are the only line of defense here.