Mass SQL injection attack hits Chinese Web sites
The attack has implanted malware on thousands of Web sites
IDG News Service - Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites, according to a security company in Taiwan.
First detected on May 13, the attack is coming from a server farm inside China, which has made no effort to hide its IP addresses, said Wayne Huang, CEO of Armorize Technologies Inc. in Taipei.
"The attack is ongoing," Huang said. "Even if they can't successfully insert malware, they're killing lots of Web sites right now, because they're just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim Web sites."
In a SQL injection attack, an attacker attempts to exploit vulnerabilities in custom Web applications by entering SQL code in an entry field, such as a log-in. If successful, such an attack can give the attacker access to data on the database used by the application and the ability to run malicious code on the Web site.
A screenshot of a Web site belonging to the Mackay Memorial Hospital in Hsinchu, Taiwan, showed that the rendering of the site had been affected and displayed the SQL string injected by the attack, Huang said.
Thousands of Web sites have been hit by the attack, he said, noting that 10,000 servers alone were infected by malware on Friday. Most of the affected servers are in China, while some are located in Taiwan, Huang said. The attackers appear to be using automated queries to Google Inc.'s search engine to identify Web sites vulnerable to the attack, he said.
Among the sites hit by the attack on Friday were SouFun.com, a real estate Web site, and Mycar168.com, a site for automobile enthusiasts.
Mass SQL injection attacks have increasingly become a security threat. In January, tens of thousands of PCs were infected by an automated SQL injection attack. That attack exploited a vulnerability in Microsoft Corp.'s SQL Server.
The attackers in the more recent outbreak aren't targeting a specific vulnerability. Instead, they are using an automated SQL injection attack engine that is tailored to attack Web sites using SQL Server, Huang said. The attack uses SQL injection to infect targeted Web sites with malware, which in turn exploits vulnerabilities in the browsers of those who visit the Web sites, he said, calling the attack "very well designed."
The malware injected by the attack comes from 1,000 different servers and targets 10 vulnerabilities in Internet Explorer and related plug-ins that are popular in Asia, Huang said.
The vulnerabilities are MS06-014 (CVE-2006-0003), MS07-017 (CVE-2007-1765), RealPlayer IERPCtl.IERPCtl.1 (CVE-2007-5601), GLCHAT.GLChatCtrl.1 (CVE-2007-5722), MPS.StormPlayer.1 (CVE-2007-4816), QvodInsert.QvodCtrl.1, DPClient.Vod (CVE-2007-6144), BaiduBar.Tool.1 (CVE-2007-4105), VML Exploit (CVE-2006-4868) and PPStream (CVE-2007-4748).
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts