Chinese hackers have conducted successful SQL injection attacks on hundreds of thousands of websites during the past 10 days, culling their targets from search engines.
Normally, SQL injection attacks are targeted attacks, one IP address at a time. The closest attack on this scale would be the SAMY worm attack on the MySpace.com domain, but that was against just one domain.
The attackers are using simple search engine queries to find massive lists of ASP or PHP sites, for example, to determine injection parameters and then automating their attacks. They are taking advantage of functionality in Microsoft's SQL Server database server that enables multiple SQL statements to be sent in the same HTTP expression. Other databases such as MySQL or Postgres don't support this functionality.
The attack is a complicated SQL injection, said Jeremiah Grossman, a Web application security expert and chief technology officer of White Hat Security. Grossman said the injection is nearly a paragraph in size, and fully encoded, enabling it to elude intrusion detection systems. Part of it contains Chinese characters and a leet-treatment of the Chinese word for hello, ni hao (n1 ha0).
Grossman said he knows of one site loading a Trojan trying to steal World of Warcraft passwords. But, the real danger is that essentially these sites have been backdoored, and the payloads can be swapped out at any time.
"They're blindly tossing SQL injections at sites and getting a high success rate. They're upping the game," Grossman said. "This is a new level of sophistication."
Authorities have asked Chinese ISPs to shut down these sites, but that doesn't hamper the attack methodology; attackers can merely move to new domains.
"It's difficult for site owners to tell if their sites have been exploited," Grossman said. "If they look into their own site, they can tell whether malware is being pulled in. If it isn't, it could be because the hacker-controlled site is down. They'll think they're clean, and tomorrow, they may not be."
Clean up is a chore. Site owners would either have to manually search their database tables, row by row, table by table, looking for the offending code and remove it, or restore the database from a backup version if one is available.
"If you use the 80-20 rule, it could be months before we see this cleaned up," Grossman said. "If the hacker-controlled domains are down at the moment, you might be owned, but not being exploited."