Application security, Breach, Data Security, Incident Response, TDR, Vulnerability Management

Researchers determine source of SQL attacks

Security researchers at the SANS Internet Storm Center (ISC) have discovered a utility that served as the foundation for a series of attacks that compromised thousands of websites and infected millions of users' PCs over the past several months.

The utility performs automated SQL injection attacks against websites found to be vulnerable to specific web searches, according to a report from the ISC. The utility, which appears to be written in Chinese, allows users to pick which HTML tag to insert into a vulnerable webpage, ISC handler Bojan Zdrnja said in a blog post.

Security researchers believe that various criminals have used the utility and other similar ones to infect thousands of legitimate websites. Once downloaded onto a website, the executable code places malware on the PCs of visitors to the infected sites.

"Back in January, there were multiple reports about a large number of websites being compromised and serving malware," Zdrnja noted in his blog. "Most of the reports about these attacks pointed to exploitation of SQL injection vulnerabilities."

In analyzing the utility, Zdrnja said it communicates with a server in China after it infects a new site. "My guess is that the attackers get paid for this since the tool calls a script (pay.asp) to verify something," he said.

The utility then connects to Google and uses a specific user-configurable search string to find sites vulnerable to SQL injection attacks. Zdrnja said he still has to analyze the SQL injection process to discover the exact manner in which it operates.

"The nice thing about this is that we finally managed to confirm that it is SQL injection that was used in those attacks," Zdrnja said. "The tool has more functionality that we still have to analyze, but this is the main purpose."

He also urged website operators to "check your applications and make sure that they are not vulnerable" to SQL injection vulnerabilities.

Despite the number of successful attacks by those using the utility, the number of SQL injection attacks is declining, at least on well-trafficked websites, Brian Chess, a founder and the chief scientist at security vendor Fortify, told

"The problem is in smaller IT shops, with people who don't understand that how they write code can make them vulnerable,” he said.

Stopping SQL injection attacks is not complex, Chess said. "There are certain function calls in whatever platform -- Java or .NET -- that are susceptible to SQL injections, and it's easy to avoid the vulnerable function calls,” he said.

The ISC's research findings "underscore the importance of monitoring databases in real time," Alex Rothacker, manager of Application Security's SHATTER Research Team, told

"The continued updating of rules sets at the monitoring sensor level is the best way to implement comprehensive data protection, which will detect this type of attack quickly," he said.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.