There's been a lot of security talk recently regarding the latest massive attack where hundreds of thousands of URLs have been hacked. Add to this that many of the infected sites belong to some big-name organizations such as the UN, the Department of Homeland Security, and UK Civil Service to mention just a few and you've got the whole world talking about this!
This attack exploits an SQL injection vulnerability in order to inject HTML code into pages that create an IFRAME which downloads a malicious payload into the victim's browser. The Hacker Webzine gave quite a thorough analysis on this type of attack [traceback] - to summarize, the attacker uses a hexadecimal notation to represent character strings which contain the commands to be executed in the DB server. Unfortunately, traditional signatures against SQL Injection will not catch an attack vector using this evasion technique as mentioned is a past whitepaper of mine. This current massive SQL Injection attack has reminded me of the other immense SQL Injection attack which took place at the beginning of March. In that attack, hackers injected IFRAME tags to Websites' search result which eventually get indexed by Google. That attack in turn reminded me of another similar widespread attack which occurred in January which redirected users of those vulnerable sites to a different domain. In all these cases huge amounts of websites have been infected by script injection, using a single non-customized attack code. There must have been some kind of automation for so many sites to have been compromised within such a short time period. My guess is that the attacker used a botnet and Google searches to launch the attack, two techniques that combined together result in a tremendously fast and efficient distribution of malware. Search engines used as a platform for malware distribution is not a new concept, "The Search of Death" as described by the Imperva ADC warned of a mega-worm crawling its way to vulnerable websites using search engines, and we've seen the proliferation of the famous SantyWorm which defaces websites by exploiting certain php vulnerability - finding those vulnerable machines just by searching Google.
It would be interesting to see the details of these attacks unravel. Unfortunately, I do not believe that these massive attacks will fade out in the short run. On the contrary, I believe that the usage of SQL Injection as a method of site defacement and malware distribution will continue to be one of the most-spoken about security challenges we face this year.
Leave a comment