Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SQL Injection Attack Fuses Malware, Phishing

Posted by kdawson on from the trust-me-just-click-on-it-ok dept.

PainMeds tips a recent post in Secure Computing's research blog describing a new SQL injection attack that had infected thousands of MSSQL-based web servers by last weekend, turning them into malware delivery systems. The attack apparently rewrites the server's Web pages to include JavaScript which pushes malware to the visitor as if it were from the genuine site. Sites using Sybase might possibly be vulnerable, as it uses the same exploited syntax that MSSQL does. The post includes an example of the attack. Unlike most malware attacks, this one appears to originate from the site the user is actually visiting. From the blog: "'Similar to phishing, this attack takes advantage of the website visitor's trust in the site they are visiting. Instead of phishing for information, however, malware is sent to the client, which the client has a higher likelihood of accepting being from a trusted site... These web pages are associated with Web sites from around the world and supplying various content — including government sites, sales sites, real estate sites, and financial information sites among others."

3 of 202 comments (clear)

  1. We got hit a few weeks back by G33kDragon · · Score: 5, Interesting

    We were added to the attack list a few weeks back, and one of our largest, most popular websites was hit. Apparently, the developers had never thought to sanitize their data, and we had multiple vulnerabilities throughout the site.

    I implemented a transparent reverse proxy server running Apache with mod_security that helped prevent further attacks from getting through, but the developers finally saw the error of their ways and converted hundreds of inline SQL calls into stored procedures.

    Since we were added to "the list", I've been seeing the same attack happen across multiple pages every 20 seconds, so they are definitely not letting up anytime soon.

  2. Re:Not really new by warsql · · Score: 3, Interesting

    You sound like a very competent developer. Too bad you will never contract at the company I work for (and many others I know of) because the management can't be convinced that using fixed bid doesn't limit liability. They continue to bid out work - fixed bid only - pay for that project, get a pile of garbage delivered, then pay more to get it fixed. I've given up that fight a while ago.

    --
    878659 - yep its prime.
  3. Re:Not really new by Anonymous Coward · · Score: 3, Interesting

    As a contractor myself, here's how that scenario sometimes goes:

    * Client requests bid for web project
    * I produce bid for web project, allowing for secure practices
    * Client thinks bid is "high", requests task itemization
    * Upon further review, some involved employee of client asks "What would this part cost without all that secure coding stuff?"
    * Regardless of my answer, the client responds "We don't need that, redo the bid without it"
    * Attempting to "hide" the extra work in the itemization is dishonest, and the likely result is that someone else will get the work, or the client will decide not to do the work
    * I can turn down an otherwise good contract, or I can produce insecure web pages; nice choice, that

    Sometimes the best you can do is document the client's intent to cut corners.

    - T