Automated SQLi Attack Hijacks Over 1 Million Websites

Jan

6

January 6 , 2012 | Posted by Nachreiner | 8 Comments

Automated SQLi Attack Hijacks Over 1 Million Websites

In past, malicious web sites seemed relegated to the “bad neighborhoods” of the Internet. If you weren’t surfing piracy, pornography, or hacking sites, you probably wouldn’t have randomly encountered websites serving malicious code back then. Unfortunately, that has changed.

Over the years, legitimate web sites have increasingly been hijacked, and booby-trapped with malicious code. If you visit such a site with an unpatched system, your computer may automatically and silently download and install some nasty malware. Lately, attackers have often hijacked thousands of web sites at once. What’s to blame for these mass web hijacks? More often than not; automated SQL Injection (SQLi).

According to researchers at SANS, an automated SQL injection (SQLi) attack dubbed Lilupophilupop has infected over one million websites (the strange name is based on a malicious domain the attack references). This latest bout of automated SQLi attacks targets Microsoft web frameworks (IIS servers using ASP.NET, with a MSSQL backend), and first surfaced in early December. Back then, the attack had only affected a handful of sites. However,  SANS’ latest research shows that it has spread to just over a million web sites today.

If you’d like to know more about this attack, you can find details about it, including the malicious SQL string it uses, in SANS’ early December post. That post also shares tips to help IIS administrators and web developers identify vulnerable pages on their site. It’s well worth a read.

In general, the best way to protect yourself from these sorts of web application attacks (whether automated or not)  is to have your developers learn how to follow secure coding practices for web applications. The Open Web Application Security Project (OWASP) is a fantastic resources for web developers to learn these practices. That said, sometimes the web frameworks you rely on will have their own vulnerabilities, which you can’t avoid (until you can patch). That’s why having a security appliance that can do application-layer security inspection, and has strong IPS, doesn’t hurt either.

As an aside, SQLi is a class of attack that many IT professionals have heard of conceptually, but some may not really get technically. Below, I’ve posted a demo video I created for one of my security presentations. It illustrates a very simple, manual SQLi attack. I use this simple SQLi example to help illustrate the concept behind them. You should check it out if you want a better idea how they can work.  Do know, however, today’s modern websites don’t suffer from such obvious examples of SQLi vulnerability as the one I demonstrate in this video. Modern websites still often suffer from SQLi flaws,they are just found in more complex places within today’s web applications. — Corey Nachreiner, CISSP (@SecAdept)

 

Comments (8)

  1. I create a leave a response when I especially enjoy a article on a website or if I have something to contribute
    to the discussion. Usually it is triggered by the
    sincerness displayed in the article I looked at. And on this article Automated
    SQLi Attack Hijacks Over 1 Million Websites | WatchGuard Security Center.
    I was actually excited enough to drop a commenta response ;
    -) I actually do have 2 questions for you if it’s
    okay. Is it simply me or does it look as if like a few of these comments appear like
    coming from brain dead people? :-P And, if you are posting at additional online
    social sites, I’d like to keep up with you. Would you list all of all your community sites like your
    Facebook page, twitter feed, or linkedin profile?

  2. I enjoy what you guys tend to be up too. This
    kind of clever work and reporting! Keep up the awesome works guys I’ve included you guys to our
    blogroll.

  3. It is much much better to be educated about these conditions
    than to be ignorant of them. The outer levels of the skin turn out to be infected, ensuing in burning,
    itchy rashes. You must comprehend the severity of
    these illnesses.

Add Comment

Your email address will not be published. Required fields are marked *