SQL Injection attack still spreading - 84000 and counting

by Steve Ragan - Aug 26 2009, 21:10

The automated SQL Injection (SQLi) attacks that gained attention late last week are spreading, and according to the researchers that discovered the attack, they are related to similar SQLi attacks in China. ScanSafe, who discovered the attacks, thinks these attacks may be regionally targeted.

The original report from ScanSafe looked only at the domain, which is injected via a malicious Iframe into a legitimate site by using various automated SQLi methods. At the time of the first report on Friday, the count was just under 55,000 sites. On Wednesday, the number of sites swelled to just over 84,000. Adding to this is the discovery of similar SQLi attacks taking place in China, leading ScanSafe to speculate that the attacks may be regional.

The Malware served in the attacks reported by ScanSafe on Friday are a nasty cocktail of code, including backdoor related Malware, keylogging Malware, various Trojans and more.

While the attack methods are the same for the sites hit in China, “…it appears the attackers may be managing geographical waves of the attacks by dividing up the Malware domains by region. And while the end stage malware consists of backdoors and data theft Trojans, the exact malware used also appears to be dependent on region,” ScanSafe said.

“Although the end stage malware differs, the attacks share many commonalities with and appear to be related to the 55,000 compromises reported last Friday. Both attacks also appear to be related to a similarly configured series of SQL injection attacks impacting India websites in July,” the ScanSafe report noted.

Earlier this year, Breach Security released their annual Web Hacking Incidents Database (WHID) report. In that report, the focus is on the massive SQLi attacks seen online in 2007, where over 500,000 sites were compromised.

In late June, another wave of automated SQLi attacks targeted sites in China. Those attacks were seeking to exploit an ActiveX vulnerability, which was over a year old at the time, but remained unpatched.

“Those SQL attacks are related to the same SQL injection attacks we've just been discussing, with apparent targeting of India websites beginning in mid-July followed by the apparent targeting of English language websites (predominantly U.S., Canada, U.K. and South Africa) in early to mid August,” ScanSafe said, hitting home that it is highly likely that the recent rash of SQLi attacks are all related on some level.

There is another commonality, mentioned in scattered media reports, but not by ScanSafe, which is that most of the sites that were hijacked by the SQLi attacks are using ASP to serve Web content.

What this means is that there are still coding practices that are in use which leave Web applications vulnerable. During the attacks on sites in the U.S., U.K., and India, both this year and in previous years, Microsoft has encouraged Web developers using ASP to follow the guidelines listed in their MSDN security development document. You can view that here. The value of the guidelines is developing code that sanitized user input and other methods of accessing the backend database within the site’s code.

Like the previous SQLi attacks from 2007 and 2008, the attackers are automating the injection process this time around as well. The automated attacks target a website and attempt to inject the payload into every available field it can find in a table. This is the reason you can track the numbers of infected sites on Google, as the Title fields are targeted in addition to everything else. Once the Iframe injection is successful, the site will start serving Malware to anyone who visits it.

The downside to these automated attacks, from the attacker’s standpoint in any case, was seen in both the 2007 and 2008 attacks. The automated injection sometimes overlapped previous working exploit code, rendering many of the sites worthless when it came to serving Malware.

Now with the news of automated attacks and legitimate sites spreading, the numbers reported in Google will start to inflate artificially. Not to mention there will surely be a good deal of panic from those who are not sure exactly what these types of attacks can mean.

As a user, you can be protected from these types of attacks by using a little caution online and some basic protections. The first layer of protection is the same advice given out on The Tech Herald countless times; patch your system and software on a regular basis. This means making sure that software such as Adobe Reader, Adobe Flash Player, Shockwave, Firefox, and the operating system are using the most recent versions.

However, that alone will not protect you. You need layers of defense on a system. There are browser add-ons as well, such as NoScript for Firefox or LinkScanner from AVG. McAfee offers SiteAdvisor, which is another browser add-on. Symantec offers Safe Web, and there are other homegrown offerings such as Web of Trust (WOT) you can consider.

However, each of those must be coupled with an anti-Virus application before they are truly effective. This can be paid anti-Virus software or free anti-Virus software, but everyone should be using it.

As this story develops, any new information will be added, and this article updated.

Around the Web