Thursday, August 27, 2009

Auto SQL injection co-opts thousands of sites

An automated attack using SQL injection has compromised tens of thousands of Web pages with code that tries to upload a data-stealing Trojan horse program to visitors' computers, security firm ScanSafe said last week.

The attack, which had inserted iframe scripts into as many as 130,000 Web pages as of Tuesday, uses the compromised pages to attempt to infect visitors with a backdoor Trojan horse that includes keylogging and download functionality, Mary Landesman, senior security researcher for ScanSafe, said in an e-mail interview on Tuesday. The initial Web site compromises appear to have been accomplished through an automated database injection attack, which matches with a trend seen by Landesman and others.

"SQL injection attacks are the most commonly observed compromise vector," Landesman stated. "Web attacks have been growing at the rate of 1 percent per day over the past year, with over half of all observed attacks the result of SQL injection."

Web attacks using SQL injection have become a lot more popular in recent years. Last week, a federal indictment of an alleged data thief stated that all five corporate victims -- including Heartland Payment Systems and Hannaford Bros. -- had initially been compromised through an SQL injection attack. In 2008, about 20 percent of the 5,600 vulnerabilities entered into the National Vulnerability Database were related to SQL injection, according to the service's statistics page.

In the latest spate of attacks, the Trojan horse programs downloaded to compromised computers are poorly recognized by most security software, Landesman said.

"Signature detection ranges, with a high of roughly 50 percent of signature vendors detecting some of the malware and a low of less than 10 percent," she said. "The attackers are continually swapping domains, using multiple exploits, and swapping out the eventual malware binaries to ensure low detection rates from signature-based technologies."

This article from Securityfocus.com

No comments: