In past, malicious web sites seemed relegated to the “bad neighborhoods” of the Internet. If you weren’t surfing piracy, pornography, or hacking sites, you probably wouldn’t have randomly encountered websites serving malicious code back then. Unfortunately, that has changed.
Over the years, legitimate web sites have increasingly been hijacked, and booby-trapped with malicious code. If you visit such a site with an unpatched system, your computer may automatically and silently download and install some nasty malware. Lately, attackers have often hijacked thousands of web sites at once. What’s to blame for these mass web hijacks? More often than not; automated SQL Injection (SQLi).
According to researchers at SANS, an automated SQL injection (SQLi) attack dubbed Lilupophilupop has infected over one million websites (the strange name is based on a malicious domain the attack references). This latest bout of automated SQLi attacks targets Microsoft web frameworks (IIS servers using ASP.NET, with a MSSQL backend), and first surfaced in early December. Back then, the attack had only affected a handful of sites. However, SANS’ latest research shows that it has spread to just over a million web sites today.
If you’d like to know more about this attack, you can find details about it, including the malicious SQL string it uses, in SANS’ early December post. That post also shares tips to help IIS administrators and web developers identify vulnerable pages on their site. It’s well worth a read.
In general, the best way to protect yourself from these sorts of web application attacks (whether automated or not) is to have your developers learn how to follow secure coding practices for web applications. The Open Web Application Security Project (OWASP) is a fantastic resources for web developers to learn these practices. That said, sometimes the web frameworks you rely on will have their own vulnerabilities, which you can’t avoid (until you can patch). That’s why having a security appliance that can do application-layer security inspection, and has strong IPS, doesn’t hurt either.
As an aside, SQLi is a class of attack that many IT professionals have heard of conceptually, but some may not really get technically. Below, I’ve posted a demo video I created for one of my security presentations. It illustrates a very simple, manual SQLi attack. I use this simple SQLi example to help illustrate the concept behind them. You should check it out if you want a better idea how they can work. Do know, however, today’s modern websites don’t suffer from such obvious examples of SQLi vulnerability as the one I demonstrate in this video. Modern websites still often suffer from SQLi flaws,they are just found in more complex places within today’s web applications. — Corey Nachreiner, CISSP (@SecAdept)