Attackers looking for a quick and easy way to compromise a large number of machines increasingly are relying on...
an old standby that has come back into favor: SQL injection.
In recent months security researchers have uncovered a startling number of websites that have been compromised by a series of mass SQL injection attacks that take advantage of weak Web applications and then use those sites as a platform to infect visitors' PCs with malware. The trend is a worrisome one for a number of reasons, researchers say, but the biggest concern is the enormous number of sites on the Web that are vulnerable to this kind of attack and the ease with which attackers are able to find and compromise new targets.
Even relatively basic websites can have several applications running at any one time and all it takes is a small coding error in one of those programs and an attacker has the opening he needs.
"It doesn't take a lot of effort," said Billy Hoffman, lead security researcher for the Web Security Research Group at HP, and an expert on Web application security. "There are so many Web-facing applications out there and a lot of them were written years ago and didn't go through any kind of code review."
The new wave of SQL injection attacks seems to have started earlier this year and has continued unabated since, with researchers continually finding more and more domains that have one or more compromised sites on them. The attacks can take one of several different forms, but the common denominator is their attempts to inject malicious SQL statements into otherwise legitimate Web pages. This will trigger an error on the database running the application on the back end, allowing the attacker to insert his own code. Many of the attacks are automated, using various toolkits to speed up the exploitation process, experts say.
"The Asprox code is very similar to what is being injected by the Chinese domains that are installing the game password-stealing Trojans," Stewart said. "I don't know if they bought a copy of it from the Chinese or if it's just a copycat, but they've been successful to a certain extent. It looks like someone has taken that code and put it into a massive program to spread it as far and wide as possible."
"What's driving the attacks for the time being are copycats and the overall availability of scanning and injecting tools, which in combination with hundreds of thousands of sites with outdated web applications in place, results is the current situation - over 1.5 million pages affected," said Dancho Danchev, an independent security consultant and researcher who has been following the SQL injection attacks. "Next to the lone copycats are the botnet masters with the Asprox botnet, and its ongoing efforts to participate in the attack. Moreover, the injected malicious domains are being put in a fast-flux, namely they respond to ten different IPs of malware-infected hosts [that are] part of the network, and the IPs themselves change constantly. The current attacks can be easily described as the long tail of SQL injection attacks reaching to the far corner of the Web. They simply do some reconnaissance then exploit the vulnerable targets."
Researchers say it's virtually impossible to know how many sites have been compromised in this way, though Stewart estimates that the Asprox malware has infected about 35,000 sites so far, based on Google searches. But what is clear is that where once attackers were content just to break into one site's database and root around for interesting nuggets, now they're highly focused on owning as many PCs as possible and using those machines as platforms for other activities.
"What we're seeing is Web threats evolving just like desktop threats," said Hoffman. "These guys used to just be interested in what they could get from one site. Now, the sites are platforms to steal data and launch other attacks. They're realizing they can use those machines as resources. Why just own the machine when I can use it to install malware and jump off to other machines?"
Much of the recent SQL injection activity appears to be coming from China and researchers around the world have been tracking the sources of the attacks. The Shadowserver Foundation has published a list of all of the domains that are injecting malicious code into other sites , and a large number of them are Chinese domains, with many of the others being .com or .info addresses.
SQL injection has come back into vogue with attackers for a number of reason, particularly the ease with which it can be automated. But it's also a maddeningly simple attack to execute, with a broad range of potential targets, making it appealing to both the low-level script kiddy as well as the pro who is looking for a big score.
"There's no commonality among these sites. They're just sites that have a programming mistake on them and these guys have picked the broadest attack surface possible, and that's where the SQL injection comes in," Stewart said. "They don't even have to do any work to find targets. All they do is go to Google and search for Active Server Pages that have a certain term on them. They know that ASP pages will be running MS SQL on the back end, and so then they just look for a specific argument in those pages and they're done."
The Chinese SQL injection attacks that began in March and are still carrying on are designed mainly to install Trojans that steal passwords to online games such as World of Warcraft. But, as Stewart points out, it's a short hop from stealing game passwords to swiping online banking passwords.
"It wouldn't take much effort at all. The thing that may stop them is that is a pretty serious crime in China. They've executed people for that," Stewart says. "So it could be that right now people aren't willing to take the risk."