Slashdot Mirror

← Back to Stories (view on slashdot.org)

New SQL Injection Attack Fuses Malware, Phishing

Posted by kdawson on from the trust-me-just-click-on-it-ok dept.

PainMeds tips a recent post in Secure Computing's research blog describing a new SQL injection attack that had infected thousands of MSSQL-based web servers by last weekend, turning them into malware delivery systems. The attack apparently rewrites the server's Web pages to include JavaScript which pushes malware to the visitor as if it were from the genuine site. Sites using Sybase might possibly be vulnerable, as it uses the same exploited syntax that MSSQL does. The post includes an example of the attack. Unlike most malware attacks, this one appears to originate from the site the user is actually visiting. From the blog: "'Similar to phishing, this attack takes advantage of the website visitor's trust in the site they are visiting. Instead of phishing for information, however, malware is sent to the client, which the client has a higher likelihood of accepting being from a trusted site... These web pages are associated with Web sites from around the world and supplying various content — including government sites, sales sites, real estate sites, and financial information sites among others."

3 of 202 comments (clear)

  1. Comment removed by account_deleted · · Score: 5, Insightful

    Comment removed based on user account deletion

  2. Re:$conn_id = mysql_connect("microsoft.com") by Anonymous Coward · · Score: 5, Insightful

    You'd have to be an idiot programmer to have a site succumb to this... It's not even "microsoft specific".

    It would affect any site that takes request parameters and passes them straight through to the db engine (well, not specifically this syntax, but the concept behind the attack).

    To be fair to Microsoft (heresy here, I know) asp.net built-in validation throws an exception.

    In other words, not only would a programmer have to use raw request string data with the db, he would also have had to specifically disabled the default page validation. In other words, an idiot.

    My website got hit with this type of attack last week, and the attempts were all rejected by the default validation. Even if the default validation had got past, all of the database queries use parameterized stored procedure calls which pretty much ignore this kind of crap anyway.

    Still, it's made me think more about security and additional parameter validation. Maybe the next attack will be a bit sneakier..

  3. We got hit a few weeks back by G33kDragon · · Score: 5, Interesting

    We were added to the attack list a few weeks back, and one of our largest, most popular websites was hit. Apparently, the developers had never thought to sanitize their data, and we had multiple vulnerabilities throughout the site.

    I implemented a transparent reverse proxy server running Apache with mod_security that helped prevent further attacks from getting through, but the developers finally saw the error of their ways and converted hundreds of inline SQL calls into stored procedures.

    Since we were added to "the list", I've been seeing the same attack happen across multiple pages every 20 seconds, so they are definitely not letting up anytime soon.