Researchers determine source of SQL attacks

Share this article:
Security researchers at the SANS Internet Storm Center (ISC) have discovered a utility that served as the foundation for a series of attacks that compromised thousands of websites and infected millions of users' PCs over the past several months.

The utility performs automated SQL injection attacks against websites found to be vulnerable to specific web searches, according to a report from the ISC. The utility, which appears to be written in Chinese, allows users to pick which HTML tag to insert into a vulnerable webpage, ISC handler Bojan Zdrnja said in a blog post.

Security researchers believe that various criminals have used the utility and other similar ones to infect thousands of legitimate websites. Once downloaded onto a website, the executable code places malware on the PCs of visitors to the infected sites.

"Back in January, there were multiple reports about a large number of websites being compromised and serving malware," Zdrnja noted in his blog. "Most of the reports about these attacks pointed to exploitation of SQL injection vulnerabilities."

In analyzing the utility, Zdrnja said it communicates with a server in China after it infects a new site. "My guess is that the attackers get paid for this since the tool calls a script (pay.asp) to verify something," he said.

The utility then connects to Google and uses a specific user-configurable search string to find sites vulnerable to SQL injection attacks. Zdrnja said he still has to analyze the SQL injection process to discover the exact manner in which it operates.

"The nice thing about this is that we finally managed to confirm that it is SQL injection that was used in those attacks," Zdrnja said. "The tool has more functionality that we still have to analyze, but this is the main purpose."

He also urged website operators to "check your applications and make sure that they are not vulnerable" to SQL injection vulnerabilities.

Despite the number of successful attacks by those using the utility, the number of SQL injection attacks is declining, at least on well-trafficked websites, Brian Chess, a founder and the chief scientist at security vendor Fortify, told SCMagazineUS.com.

"The problem is in smaller IT shops, with people who don't understand that how they write code can make them vulnerable,” he said.

Stopping SQL injection attacks is not complex, Chess said. "There are certain function calls in whatever platform -- Java or .NET -- that are susceptible to SQL injections, and it's easy to avoid the vulnerable function calls,” he said.

The ISC's research findings "underscore the importance of monitoring databases in real time," Alex Rothacker, manager of Application Security's SHATTER Research Team, told SCMagazineUS.com.

"The continued updating of rules sets at the monitoring sensor level is the best way to implement comprehensive data protection, which will detect this type of attack quickly," he said.
Share this article:

Sign up to our newsletters

More in News

Brazilian president signs internet 'Bill of Rights' into law

Brazilian president signs internet 'Bill of Rights' into ...

President Dilma Rousseff signed the legislation on Wednesday at the NetMundial conference in Sao Paulo.

Android trojan sends premium SMS messages, targets U.S. users for first time

Android trojan sends premium SMS messages, targets U.S. ...

An SMS trojan for Android, known as FakeInst, has been observed sending premium SMS messages to users all over the world, including, for the first time, the United States.

Report: DDoS up in Q4 2013, vulnerability scanners leveraged to exploit sites

Report: DDoS up in Q4 2013, vulnerability scanners ...

Researchers observed 346 DDoS attacks in the final quarter of 2013 and attackers used Vega and Skipfish vulnerability scanners to exploit web flaws at financial companies.