Mass SQL Injection Attacks Uses Automated Tools, Search to Infect New Sites
Attackers are using search results as a reconnaissance tool to identify sites to hit in the latest mass injection attack directing users to Lilupophilupop.com.
Security researchers monitoring mass SQL injection attacks warned the latest one may be nearing a million infected pages using a combination of automated tools and reconnaissance using search engines.
The "Lilupophilupop" SQL injection campaign has infected a little over a million URLs since it was first detected in early December, according to a post on the SANS Institute's Internet Storm Center. The security firm detected only 80 corrupted URLs when it first noticed the campaign. Mark Hofman, a handler at the SANS Institute's Internet Storm, acknowledged the list contained duplicate URLs but regardless of the actual number of infected sites, the campaign was definitely growing.
Victims who land on the infected URLs are redirected to other sites and wind up on Lilupophilupop.com, which can display an "adobeflash page" where they are encouraged to download what they think is an update to Adobe Flash, or to a fake antivirus site. The scam's ultimate goal is to trick victims into paying for software or antivirus protection they don't need, and will likely cause more problems once installed.
"Sources of the attack vary, it is automated and spreading fairly rapidly," Hofman wrote in an initial analysis of the attack.
This newest mass injection is similar to the LizaMoon attack, which was responsible for redirecting 1.5 million URLs to fake antivirus pages. Websites based in the Netherlands are the biggest victims of Lilupophilupop, followed by French sites, according to the SANS Institute. Sites with backends running on IIS, ASP or Microsoft SQL Server seem to be the primary target.
"If you want to find out if you have a problem just search for '<script
src=http://lilupophilupop.com/' in Google and use the site: parameter to hone in on your domain, Hofman said.
Attackers often use Google and other search engines to identify which Websites are vulnerable as part of their initial research, Rob Rachwald, director of security strategy at Imperva, told eWEEK. The searches may be as simple as looking for Websites that are running off-the-shelf content management systems or other software packages that have known vulnerabilities, such as phpMyAdmin, a popular Web-based front-end interface for managing SQL databases, he said. There are also certain parameters that can be used to find open ports or even what scripts are available on the server.
Security administrators can do what the attackers do and run queries with various technical parameters, also known as "Google Dorks," on the Website to see what shows up in the search results, according to Rachwald. Once the problems on the server are exposed, they can then be cleaned up, according to Rachwald.
Attackers often automate the search process using bots. A recent Imperva report showed that just 10 IP addresses were responsible for approximately 40 percent of SQL injection attacks. "With such numbers, blacklisting makes sense," Rachwald said. Blacklisting alone won't stop SQL injection attacks, but it can reduce some of the sources of attack.
There are also automated SQL attack tools available, such as SQL map and Havij. These tools each have unique patterns and fingerprints that can be used to identify them. Administrators can identify different patterns of automated attacks by examining HTTP headers and application parameters and block the malicious tool from accessing the application at all.
"Code review is arduous and expensive, but it gets the problem fixed, hopefully for good," said Rachwald.
Even if an organization knows there are security flaws in the application, there may be several reasons as to why the flaws can't be fixed immediately. The source code may not belong to the organization or the developers may be backlogged and not able to make the fix. A Web application firewall will also help prevent attacks as it can be used to block attacks from exploiting the vulnerability in the application, according to Rachwald.