Mass SQL Injections Spike Again

Security researchers have reported spikes in mass SQL injection attacks of late that take advantage of very common vulnerabilities in the way that Web applications interact with back-end databases. Particularly targeting ASP, ASP.Net, and MS-SQL sites, these mass SQL injection campaigns have been linked to black hat efforts to redirect victims to browser exploit kits like Blackhole or Phoenix.

"There's been a growing increase on the mass SQL injections side mainly because there is business to be had and money to be made in that area," says Gunter Ollmann, vice president of research for Damballa. "There are a growing number of professional hackers and crime groups that specialize in quick and rapid identification of websites that are vulnerable to SQL injection, and they monetize that by injecting malicious code normally as part of the pay-per-install or the iFrame injection-type business."

Unlike traditional SQL injections, which are generally manual attacks seeking to extract data from commerce sites, mass SQL injection attacks are automated, quick-and-dirty attacks that drop malicious code onto the website.

"Really what this is is a cross-site scripting attack," says Ryan Barnett, senior security researcher for Trustwave SpiderLabs, "just using SQL injection on the front end to inject in JavaScript code that results in sending regular users to a Web page that's dynamically created based on different database components, pulling in malicious JavaScript into the browser that redirects to a malware site."

[ Hackers automate their SQL injection attacks through easy-to-use tools. See how they do it: 10 SQL Injection Tools For Database Pwnage. ]

The mass SQL injection model has been prevalent since 2008, with a considerable uptick last spring during the LizaMoon attacks. According to the recent Zscaler ThreatLabz Q1 State of the Web Report, researchers with ThreatLabz noted a spike in LizaMoon activity back in March.

"A year later, we are still seeing this campaign under way, with various peaks and valleys as the attack adapts over time. We noticed that activity picked back up again in March 2012," the report says.

According to Barnett, the attacks in recent months have a similar M.O., with a slight tweak in the SQL used to conduct the attack.

"They're not doing exactly the same kind of script that they did before," Barnett says. "They are picking different category names, which is often used for these databases, such as the category title, content title, and home page title. So they're targeting title HTML tags when you're dynamically creating those sites. It is kind of sneaky, but they're prepending a closing title HTML tag, so when it gets into the browser, it will cleanly close the title content that was already there and inject in behind to execute that JavaScript."

In April, researchers with F-Secure and Sucuri Security, among others, had brought attention to these attacks, which at that time redirected to the Nikjju.com domain. According to Barnett, malicious activity continues on the back of already injected code, but the domains end users are redirected to remain in flux.

"The infrastructure of what we're highlighting here is in place, the bad guys are using it -- the difference is that all those domains they're sending them to, those are transient and change almost daily," he says. "As we put in IP reputation, domain black listing, and all of those things, then people can't get to those sites, so they have to constantly keep moving. But the infrastructure of exploiting the website and injecting this code, they just keep reusing that until people upgrade their systems."

That brings us to the mitigation efforts for these attacks.

"One is, first and foremost, they have to stay on top of patching processes. That means knowing what applications you're running on your servers," Ollmann says. "And secondly, you need to ensure that your custom applications are designed in a way that even if there is a vulnerability in these back-end systems, that the content is still sanitized and is not projected to visitors of the website."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.