SQL Attacks - Half a Million Sites Already Owned

By Matthew Hines  |  Posted 2009-02-24 Print this article Print

A new research report delving further into the current epidemic of online SQL injection attacks maintains that over a half million sites were victimized by the threats during 2008 alone.

According to the Web Hacking Incidents Database (WHID) 2008 Annual Report issued by security appliance maker Breach Security on Tuesday, SQL threats that dropped malware onto affected sites far outnumbered any other type of attack rearing its head on the Internet last year.

The majority of the SQL injection campaigns delivered botnet programs onto machines infected by the sites they compromised, allowing the parties behind the attacks to use the devices to a number of different ends, from distributing spam to launching additional malware threats, the company said.

"The mass SQL Injection bot payload was a script that would alter the contents of the back-end database and inject malicious JavaScript," Breach researchers conclude in the report. "The novel approach employed by these attacks was that the SQL Injection scripts could "generically" enumerate and update the database tables all in one request."

By cutting out a good deal of the manual research required of attackers in previous campaigns, the emergence of the "mass SQL injection bots" triggered an eruption of outbreaks, Breach maintains.

Breach Security Labs specifically tracked three major SQL-driven bots in 2008:

-Nihaorr1 Mass SQL Injection Bot

-Asprox Mass SQL Injection Bot

-Mass SQL Injection Bot Evolution

The techniques used by the involved attackers mix together a powerful cocktail of hacking and malware authoring expertise, the experts noted.

"While the initial attack vector was SQL Injection, the overall attack more closely resembles a Cross-Site Scripting methodology as the end goal of the attack was to have malicious JavaScript execute within victim's' browsers. The JavaScript calls up remote malicious code that attempts to exploit various known browser flaws to install Trojans and Keyloggers in order to steal login credentials to other Web applications," the report contends.

Breach also highlighted another "notable attack methodology shift" in the fact that rather that targeting sensitive data in site databases, the threats were largely meant to victimize site visitors.

As the firm points out, the 2008 results should serve notice that infected URLs have really and truly become the most dangerous force in the world of cybercrime.

And that SQL injection, specifically, is the manner in which most of them are being corrupted.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.

del.icio.us | digg.com

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel