Mass SQL Attack a Wake-Up Call for Developers
Apr 28, 2008 2:03 PM PT
A mass SQL injection attack has infected hundreds of thousands -- as many as 500,000, according to some accounts -- of normally trusted Web sites, including those of the United Nations and several governments. The attack, which mimics another recent malware episode, was launched with the apparent goal of stealing visitors' user information.
While there is nothing new about that, there are some differences in this attack that are worrying the Internet security community.
For starters, while SQL injection technology has been around for a while, SQL injection in a customized spot is new.
"As far as I know, there has never been a mass hack on a customized Web application flaw," WhiteHat Security CTO Jeremiah Grossman told TechNewsWorld.
"Typically, SQL injections are a Web site by Web site process, which means the damage can be relatively limited -- especially if the Web sites discover relatively soon they have been infected," he explained. "By injecting many Web sites at once, the attackers were able to infect a huge number of sites -- and by extension, a huge number of site vistors -- in the same window of time.
"Whoever did this is very good at what they do," Grossman said.
No Particular Flaw
The attacks "are a very sophisticated form of SQL injection," Qualys CTO Wolfgang Kandek told TechNewsWorld. "Normally, SQL injection is targeted to one table. With this attack, they used a generic mechanism of the underlying database to make it work on a much broader set of applications."
The attacks have targeted sites running IIS and ASP that have an MS-SQL database. However, they are not exploiting a particular flaw in these applications -- the exploit could have been written to target any database -- Oracle or WebSphere, for example.
Rather, the code exploits what security researchers are bemoaning as an elementary lapse in Web security on the part of developers installing the databases.
The Blame Game
"If we are going to play the blame game, the onus should fall on developers," Slavik Markovich, CTO of Sentrigo, told TechNewsWorld. "This has nothing to do with Microsoft SQL -- the hackers just chose to target it. What the attack does is take advantage of a badly developed site that allows the exploit to enter parts of SQL statements. It then injects a malicious code to every text field in the database. It is a very sophisticated exploit."
Specifically, the mass attack is using the "Table_Cursor" function to generically loop through all table names and then add malicious code to all data, explained Ryan Barnett, who is director of application security for Breach Security, as well as a SANS Institute faculty member and an officer for the Web Application Security Consortium.
"This is clever," Barnett told TechNewsWorld, "as without this technique, the attackers would need to conduct some reconnaissance to determine the exact table structure and enumerate the proper location for their injection. With this approach, there is no need for reconnaissance, as they will just append their malicious code to everything."
The script or tool behind the attack uses Google to search for sites that include a file type and parameter that appear to be susceptible to SQL injection, and then uses the list returned by Google to mount its attack, said Jacob West, manager of Fortify Software's security research group.
There are few clues pointing to the origins of the attack. It appears to be from the same group that launched a similar attack in March -- in which tens of thousands of well-known Web sites were infected with malicious links -- noted Websense, one of the security firms that identified the first wave of infections.
The group may be connected to the Dolphin Stadium Super Bowl compromise of 2007, Websense suggested.
Whoever is behind the attacks, there is no doubt more will be mounted -- either by the original attackers or by someone who has deconstructed their methods, Markovich added.
Oracle and other database vendors will be targeted in the next round, he predicted.
Or not. It's more likely that Microsoft will stay in the spotlight, suggested Rohyt Belani, managing partner with Intrepidus Group.
"The underlying database servers are often misconfigured to have an extended stored procedure xp_cmdshell enabled," Belani told TechNewsWorld. "This setting allows an attacker to execute commands at the operating system level post compromise via SQL injection. This level of access is hard to come by in other database servers like Oracle."
The important point is that thwarting SQL injection is the responsibility of application developers, not Microsoft, he emphasized.
Indeed, the attacks have raised the volume of a never-ending discussion on the necessity of both end users and developers to remain vigilant against malware.
A Larger Problem
"Basically, it comes down to the fact that Web security is not easy," Paula Greve, director of Web security research at Secure Computing, told TechNewsWorld.
"As Web developers are trying to make their Web sites more and more interactive, and [are] servicing more and more business needs, they are taking shortcuts -- not following the best practices," she said.
"Anyone can throw a form up on a Web site -- but we all know what can happen with that. It takes time and priorities to put the form up such that all security best practices are followed," Greve observed.
"Although this wave of attacks targets an application vulnerability that is the result of poor programming, it is indicative of [a] larger problem. We in the software engineering and security fields need to provide developers with APIs (application programming interfaces) that make getting security right easier -- and better tools and processes to ensure that the software they build with these APIs is secure," said Fortify's West.
"SQL injection is a straightforward problem to identify and avoid when compared with other code-level vulnerabilities," he added, "but these attacks demonstrate that some organizations building Web applications today are still woefully behind the bad guys."
Additional investment in security software and hardware may also be necessary.
"The attack works because most organizations have not yet implemented real-time database activity monitoring (DAM) technology for immediately detecting and blocking anomalous database activity," Phil Neray, vice president of marketing at Guardium, told TechNewsWorld.
Poorly written Web applications that don't implement best practices for validating user input before sending it to the database are also culprits, he said.