Brief: New SQLi attack making the rounds online

by Steve Ragan - Aug 13 2008, 14:59

Secure Computing is reporting that a new variant of the SQLi (SQL Injection) attack is making its rounds on the Web. According to a post on the TrustedSource blog, the attack is still centering on MSSQL driven Web sites, but Sybase driven Web servers could be at risk as well.

The SQLi attacks were first noticed in April of this year. At that time, the number of legit Web sites compromised numbered in the hundreds of thousands. Various strings of malicious code were propagated across the Web, and there was a pattern to most of the attacks. The pattern is that the attackers continue to use SQL injection against ASP and ASP.NET Web sites that have insufficient verification of user input. This prompted Microsoft to issue an alert and offer up various links for proper code designed to avoid exploitation.

"Microsoft is aware of a recent escalation in a class of attacks targeting Web sites that use Microsoft ASP and ASP.NET technologies but do not follow best practices for secure Web application development," the Redmond-based software giant said back in June. 

"These SQL injection attacks do not exploit a specific software vulnerability, but instead target Web sites that do not follow secure coding practices for accessing and manipulating data stored in a relational database."

According to the TrustedSource post, the new attack works the same but offers a more driven focus. This new attack is not using iFrames to serve malware; instead, it is installing it onto the site itself and then serving it up.

"This ultimately causes the web server’s visitors to, depending on their client, be sent one of many different forms of malware from the referred pages. Similar to phishing, this attack takes advantage of the website visitor’s trust in the site they are visiting," outlines the blog post. "Instead of phishing for information, however, malware is sent to the client, which the client has a higher likelihood of accepting being from a trusted site."

The attack is ongoing and, according to Secure Computing, there are only a few hundred sites that have been infected thus far.

More information, as well as attack code examples, can be found online at the TrustedSource blog.

Around the Web