SQL injection attacks are evolving as one of the primary modes of transportation for malicious scripts that hackers insert into legitimate Web sites. According to recent events, this method is becoming very popular amongst the hacker elite, especially taking into consideration the number of sites they are able to exploit almost overnight.
Some of these victim sites include the United Nations and the US Department of Homeland Security (DHS. Typically they will use the Web site as a vehicle for distributing Trojans through encoded Java script that a SQL injection inserted into the Web site.
The scary part is that the average rate of infection amongst "protected" etworks is anywhere from 70 to 75 per cent according to research conducted by PandaLabs on over 1200 networks across the globe.
This study was conducted with www.infectedornot.com and www.malwareradar.com during a two month time-span as part of an ongoing study into criminal prevalence on the Internet. These statistics were derived from PCs that had up-to-date anti-virus, but were still being infected with malware known by the industry.
It's estimated that 93 per cent of the breaches documented consist of the target being an online repository containing information of value. Furthermore, it explains that around 83 per cent of information targeted pertained to cardholder data. Thus, it's not surprising to see this type of data being targeted more often.
What mystifies researchers is how criminals are gaining access to web sites without administrative privileges or exploiting specific server-side vulnerabilities. Hackers have discovered a generic SQL string capable of inserting malicious scripts in hundreds of thousands of sites in a short period of time, and in some cases in a matter of hours. Hackers use this string to embed Java script code generically into hundreds of thousands of web sites. The key is to find a string generic enough, but effective 80% to 90% of the time in taking advantage of Web coding vulnerabilities.
Web sites that fall victim to these attacks are sites that you normally wouldn't expect to host malicious scripts such as www.flowers.com, www.dhs.gov or www.un.org. These highly populated sites allow hackers to victimize as many visitors as possible, thus, if profit is the true motivation is a perfect breeding ground for criminal activity.
The encoded Java script embedded in the victim web pages consists of a delivery mechanism to infect visitors with Trojans. However, the malware itself is not embedded, but rather hosted elsewhere and in some cases will use server-side polymorphism to randomly change binaries dynamically.
For the malware to be properly executed in a different context on the visitor's PC the script contains instructions to determine if the PC can be exploited by running a check against a number of common vulnerabilities. In addition, some of these attacks take advantage of zero-day vulnerabilities to spread malware to unsuspecting users as was the case with the recent Adobe Flash exposure.
The Java script code being used to exploit the vulnerability uses obfuscation and encoding techniques making it very difficult to analyze (e.g. using hexadecimal encoding to hide actual Java code 65%3D%22%6A%61%76%). Thus, the true intention behind the script (exploitation of vulnerabilities) cannot be seen by simply viewing the .JS file. It takes clever decoding to reveal the presence of actual exploit code and subsequently creating a defense mechanism against it.
Join the CIO Australia group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.