We recently dealt with this exploit.

One very useful tip that I did not find anywhere else: Revoke access to the meta-data tables this attack uses to find every character field in every table. If not for this obvious security risk, the attacker would need to _know_ the name of each field. As it is, this drive-by vandalism is pretty easy to do.

I wrote about this in response to an auditing post: http://www.sqlservercentral.com/Forums/FindPost513739.aspx

part of the heuristics we examine before the SQL Command Text is sent to the server is to look for the "varbinary" keyword as well as the "cast(0x" because our normal webserver-generated transactions are never going to legitimately use those commands. If this exploit vector uses tokens that are never otherwise used in real transactions, it's easy to identify the entire family of attack by this signature (and prevent even passing the command to the database).