WHID 2007-82: An SQL injection Mass Robot
An SQL injection robot is running wild and has already hacked hundreds of thousands of web sites. Since the robot plants malicious code in infected sites, its traces can be found by Googling for a name of Chinese sites referred to in malicious code.
As a security practitioner I often see SQL injection bots, and many times when I install ModSecurity, an open source application firewall but this bot is unique in the way it exploits web sites. It is easier to perform a wide scale attack by exploiting the least common denominator, which in the hacking world is the operating system. As a result most SQL bots tend to try to use SQL injection vectors that will enable issuing OS commands. A good example is a Cacti vulnerability: since it allows an OS command to be issued I often see bots looking for it in the wild. This attack is the first I have seen in which the actual attack vector is SQL based. The bot is modifying every record it has access to into a malicious code in the hope that it will be fetched and displayed by the application to its users.
A byproduct if this vector is that is that results are catastrophic for the site owners. While in a case of common defacement attacks restoring (or recreating) the homepage is all it required to get back to business, in this case the whole database is ruined. Considering the scope of the attack and that restoring the database, if it was ever backup, requires much more expertise, the overall damage of this attack is very high.
Additional information:
- 70,000 Web Pages Hacked By Database Attack [Information Week, Jan 8 2008]
- Realplayer Vulnerability [SANS Internet Storm Center, Jan 4 2008]
- Massive embedded exploit web site attack underway [Heise, Jan 8 2008]
- SQL Injection Attack Infects Thousands of Websites [Ryan Barnett, Jan 8 2008]
- Mass exploits with SQL Injection [SANS, Jan 9 2008]
