Automated SQLi Attack Hijacks Over 1 Million Websites

In past, malicious web sites seemed relegated to the “bad neighborhoods” of the Internet. If you weren’t surfing piracy, pornography, or hacking sites, you probably wouldn’t have randomly encountered websites serving malicious code back then. Unfortunately, that has changed.

Over the years, legitimate web sites have increasingly been hijacked, and booby-trapped with malicious code. If you visit such a site with an unpatched system, your computer may automatically and silently download and install some nasty malware. Lately, attackers have often hijacked thousands of web sites at once. What’s to blame for these mass web hijacks? More often than not; automated SQL Injection (SQLi).

According to researchers at SANS, an automated SQL injection (SQLi) attack dubbed Lilupophilupop has infected over one million websites (the strange name is based on a malicious domain the attack references). This latest bout of automated SQLi attacks targets Microsoft web frameworks (IIS servers using ASP.NET, with a MSSQL backend), and first surfaced in early December. Back then, the attack had only affected a handful of sites. However,  SANS’ latest research shows that it has spread to just over a million web sites today.

If you’d like to know more about this attack, you can find details about it, including the malicious SQL string it uses, in SANS’ early December post. That post also shares tips to help IIS administrators and web developers identify vulnerable pages on their site. It’s well worth a read.

In general, the best way to protect yourself from these sorts of web application attacks (whether automated or not)  is to have your developers learn how to follow secure coding practices for web applications. The Open Web Application Security Project (OWASP) is a fantastic resources for web developers to learn these practices. That said, sometimes the web frameworks you rely on will have their own vulnerabilities, which you can’t avoid (until you can patch). That’s why having a security appliance that can do application-layer security inspection, and has strong IPS, doesn’t hurt either.

As an aside, SQLi is a class of attack that many IT professionals have heard of conceptually, but some may not really get technically. Below, I’ve posted a demo video I created for one of my security presentations. It illustrates a very simple, manual SQLi attack. I use this simple SQLi example to help illustrate the concept behind them. You should check it out if you want a better idea how they can work.  Do know, however, today’s modern websites don’t suffer from such obvious examples of SQLi vulnerability as the one I demonstrate in this video. Modern websites still often suffer from SQLi flaws,they are just found in more complex places within today’s web applications. — Corey Nachreiner, CISSP (@SecAdept)


About Corey Nachreiner

Corey Nachreiner has been with WatchGuard since 1999 and has since written more than a thousand concise security alerts and easily-understood educational articles for WatchGuard users. His security training videos have generated hundreds of letters of praise from thankful customers and accumulated more than 100,000 views on YouTube and Google Video. A Certified Information Systems Security Professional (CISSP), Corey speaks internationally and is often quoted by other online sources, including C|NET, eWeek, and Slashdot. Corey enjoys "modding" any technical gizmo he can get his hands on, and considers himself a hacker in the old sense of the word.

8 Responses to “Automated SQLi Attack Hijacks Over 1 Million Websites”

  1. I visit daily a few websites and sites to read content, however
    this blog provides feature based articles.

  2. If some one wishes expert view about blogging after that i recommend him/her to go
    to see this blog, Keep up the pleasant work.

  3. Aw, this was an exceptionally nice post. Spending some time and actual effort to generate a
    top notch article… but what can I say… I hesitate a lot and never seem to get nearly anything done.

  4. What’s up to all, it’s actually a nice for me to goo to see this site, it
    contains priceless Information.

  5. I create a leave a response when I especially enjoy a article on a website or if I have something to contribute
    to the discussion. Usually it is triggered by the
    sincerness displayed in the article I looked at. And on this article Automated
    SQLi Attack Hijacks Over 1 Million Websites | WatchGuard Security Center.
    I was actually excited enough to drop a commenta response ;
    -) I actually do have 2 questions for you if it’s
    okay. Is it simply me or does it look as if like a few of these comments appear like
    coming from brain dead people? :-P And, if you are posting at additional online
    social sites, I’d like to keep up with you. Would you list all of all your community sites like your
    Facebook page, twitter feed, or linkedin profile?

  6. Your mode of telling everything in this piece of
    writing is in fact fastidious, every one be able to effortlessly know it, Thanks a lot.

  7. I enjoy what you guys tend to be up too. This
    kind of clever work and reporting! Keep up the awesome works guys I’ve included you guys to our

  8. It is much much better to be educated about these conditions
    than to be ignorant of them. The outer levels of the skin turn out to be infected, ensuing in burning,
    itchy rashes. You must comprehend the severity of
    these illnesses.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


Get every new post delivered to your Inbox.

Join 8,244 other followers

%d bloggers like this: