News Stay informed about the latest enterprise technology news and product updates.

SQL injection attack infects hundreds of thousands of websites

Security experts are watching massive numbers of automated SQL injection attacks from Chinese domains. Attackers use simple search engine queries to build a list of targets.

Chinese hackers have conducted successful SQL injection attacks on hundreds of thousands of websites during the...

past 10 days, culling their targets from search engines.

They're blindly tossing SQL injections at sites and getting a high success rate. They're upping the game.
Jeremiah Grossman,
chief technology officerWhite Hat Security

Normally, SQL injection attacks are targeted attacks, one IP address at a time. The closest attack on this scale would be the SAMY worm attack on the domain, but that was against just one domain.

The attackers are using simple search engine queries to find massive lists of ASP or PHP sites, for example, to determine injection parameters and then automating their attacks. They are taking advantage of functionality in Microsoft's SQL Server database server that enables multiple SQL statements to be sent in the same HTTP expression. Other databases such as MySQL or Postgres don't support this functionality.

The attack is a complicated SQL injection, said Jeremiah Grossman, a Web application security expert and chief technology officer of White Hat Security. Grossman said the injection is nearly a paragraph in size, and fully encoded, enabling it to elude intrusion detection systems. Part of it contains Chinese characters and a leet-treatment of the Chinese word for hello, ni hao (n1 ha0).

SQL injection attacks:
Preventing blind SQL injection attacks: Most security professionals know what SQL injection attacks are and how to protect their Web applications against them. But, they may not know that their preventative measures may be leaving their applications open to blind SQL injection attacks.

Cross-build injection attacks: Keeping an eye on Web applications' open source components: One popular method used to exploit such flaws is to inject code into the running application, a process common in SQL injections and cross-site scripting attacks.

Download security expert, Michael Cobb's cross-build injection attack advice to your PC or favorite mobile device.

Learn about SQL injection attacks and other Web application attacks in our Learning Guide. Find out how to prevent SQL injections.

The SQL Injection exploit loops through database tables loading in malicious JavaScript everywhere it can, Grossman said, and ultimately infects browsers with malware via a Web page iFrame which loads content such as Trojans, from different hacker sites.

Grossman said he knows of one site loading a Trojan trying to steal World of Warcraft passwords. But, the real danger is that essentially these sites have been backdoored, and the payloads can be swapped out at any time.

"They're blindly tossing SQL injections at sites and getting a high success rate. They're upping the game," Grossman said. "This is a new level of sophistication."

Authorities have asked Chinese ISPs to shut down these sites, but that doesn't hamper the attack methodology; attackers can merely move to new domains.

"It's difficult for site owners to tell if their sites have been exploited," Grossman said. "If they look into their own site, they can tell whether malware is being pulled in. If it isn't, it could be because the hacker-controlled site is down. They'll think they're clean, and tomorrow, they may not be."

Clean up is a chore. Site owners would either have to manually search their database tables, row by row, table by table, looking for the offending code and remove it, or restore the database from a backup version if one is available.

"If you use the 80-20 rule, it could be months before we see this cleaned up," Grossman said. "If the hacker-controlled domains are down at the moment, you might be owned, but not being exploited."

Dig Deeper on Application attacks (buffer overflows, cross-site scripting)

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.