The Search of SQL Injection

We read and re-read the news: a massive Web attack, performed via SQL Injection which inserts hidden iframes which in turn refer to compromised sites which eventually download malware.

It happened back in January, then in March, once again in April and already twice in May. The most recent one uses zombies which search for vulnerabilities in sites using Microsoft ASP. No surprising news here. As we approach mid-2008 I can definitely say that this has been one of the biggest attack trends of the year. I know you've heard all the technical details as posted in other reports and blogs. And I already posted an entry regarding this attack so I won't repeat it here. But what comes to my mind regarding these attacks is the frequency and magnitude of Website infections. What is the method of mass transportation of these injections? Surely these hack-operations must have been automated. I believe this is where Google Hacking comes in, Google at the hackers' service. Supporting this claim is the fact that the number of infected applications is huge while the network footprint of the attack is negligeble.

We have already classified these attacks as SQL Injection, but I'd like to reconsider. As I see it, this trend is actually a hybrid-attack, Google acting as the conduit of these hacks, where a simple search can provide millions of results of vulnerable sites within a fraction of a second. The most recent webinar at Imperva on Google Hacking presents this combo-attack explaining how viruses are easily spread via Google and how to avoid being infected.[The link is to our webinar series...the recording will be up shortly].

It's this fusion of Google Hacking with SQL Injection which is making these attacks effective and creating the news headlines.