Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SQL Injection Attack Fuses Malware, Phishing

Posted by kdawson on from the trust-me-just-click-on-it-ok dept.

PainMeds tips a recent post in Secure Computing's research blog describing a new SQL injection attack that had infected thousands of MSSQL-based web servers by last weekend, turning them into malware delivery systems. The attack apparently rewrites the server's Web pages to include JavaScript which pushes malware to the visitor as if it were from the genuine site. Sites using Sybase might possibly be vulnerable, as it uses the same exploited syntax that MSSQL does. The post includes an example of the attack. Unlike most malware attacks, this one appears to originate from the site the user is actually visiting. From the blog: "'Similar to phishing, this attack takes advantage of the website visitor's trust in the site they are visiting. Instead of phishing for information, however, malware is sent to the client, which the client has a higher likelihood of accepting being from a trusted site... These web pages are associated with Web sites from around the world and supplying various content — including government sites, sales sites, real estate sites, and financial information sites among others."

12 of 202 comments (clear)

  1. malware + phishing = by Anonymous Coward · · Score: 4, Funny

    malware + phishing = phalware?

    1. Re:malware + phishing = by FooAtWFU · · Score: 2, Funny

      Phailware. You get it from web sites who phail at security?

      --
      The World Wide Web is dying. Soon, we shall have only the Internet.
    2. Re:malware + phishing = by Opportunist · · Score: 2, Funny

      Well, there are worse composite buzzwords...

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. Re:Not really new by Anonymous Coward · · Score: 1, Funny

    No I didn't see this coming you insensitive clod.. I'm blind.

  3. Re:DELETE FROM USER* by ianare · · Score: 2, Funny

    sure, send piped UNIX commands to a javascript living in a MSSQL server ...

  4. $conn_id = mysql_connect("microsoft.com") by Aardpig · · Score: 2, Funny

    UPDATE management SET perf_review='Epic Fail' WHERE jobtitle='MSSQL Engineer';

    --
    Tubal-Cain smokes the white owl.
  5. Re:Attempts made on our systems... by corsec67 · · Score: 3, Funny

    Also, for what its worth, all of the IPs (100s of them used in the course of 3 days) trace back to ISPs based in Beijing. Hmmm...

    The Olympics are trying to hack your webserver?

    I wasn't aware that Server CTF was an Olympic sport.

    --
    If I have nothing to hide, don't search me
  6. Web Security Consultant / Database Expert Needed by Anonymous Coward · · Score: 1, Funny

    I saw a post in the "best of" section of craigslist from early July that described the same attack from the article. The victim included some great documentation of the attack: http://www.craigslist.org/about/best/bos/742662737.html

  7. Comment removed by account_deleted · · Score: 2, Funny

    Comment removed based on user account deletion

  8. Re:Attempts made on our systems... by isomeme · · Score: 2, Funny

    In Communist China, the Olympics hacks you!

    --
    When all you have is a hammer, everything looks like a skull.
  9. Re:DELETE FROM USER* by Nefarious+Wheel · · Score: 2, Funny

    Poor little Bobby Tables, copping it on the chin again http://xkcd.com/327/

    --
    Do not mock my vision of impractical footwear
  10. Re:DELETE FROM USER* by dotgain · · Score: 4, Funny
    Well, it's more scalable then, innit?

    Let's see who's laughing when the Political Correctness brigade catch up with the Gregorian Calendar and hold it to task for picking on poor, old February.