Massive website compromises using a technique known as SQL injection has long been a top security concern for Web developers and site owners. Now, the attacks may become harder to detect and prevent, according to one security firm's analysis.
Web security firm Armorize announced that it had detected a new type of mass SQL injection attack that uses a simple form of peer-to-peer networking to make the compromised network hard to take down. Historically, mass web attacks are simple: Code written in the structured query language (SQL) is sent to the back-end web database using a vulnerability in the site's code. When the security flaw is in a common application, the attack can compromise thousands of sites at the same time.
In the latest version of the attack, rather than injecting sites with a single static script that points visitor browsers to a handful of malicious download sites, the attackers create a dynamic script that sends visitors to a previously compromised Web server. The new technique makes blacklisting much harder, says Wayne Huang, president and chief technology officer of Armorize.
"We found that the infected websites form a big mesh -- everybody is injected with a malicious script that points to each other," says Huang. "Every infected Web site is serving as a redirector for one another. You can't blacklist anybody, because everyone is a redirector."
Blacklisting is a problem. Armorize found that, of a sample of 700 sites that belonged to a compromised mesh network, only 20 percent of the sites had been blacklisted by Google for attempting to upload malicious code to users. Another 10 percent of the sites were compromised previously by a different attack and were blacklisted because of that rogue behavior, the company said in a blog post describing their findings.
The company found that more than 20,000 sites from Alexa's top 1 million had the malicious script, "sidename.js" running on the server.
The current attack does have a weakness, points out Neil Daswani, co-founder and CTO of web anti-malware company Dasient. Cleaning up the malicious code from the infected sites will stop the code from being downloaded. Yet, that will only be true for a short while, he says.
"It will only be a matter of time before attacks like Sidename take on an even more resilient, peer-to-peer structure where infected sites source in malicious code from multiple additional infected sites so that an infected site will still serve drive-by-downloads even if one or more of the sites that code is being sourced in from cleaned up," Daswani says.
The attack underscores that site owners need to do better security analyses of their sites, says Thomas Kristensen, chief security officer for Secunia. Most companies, however, will not tackle remediating expensive vulnerabilities in their Web sites unless it is a priority from executives, he says.
"Even though a lot of geeks think that, well, we really need to do something about our security, unless it is financially backed, nothing is going to happen," Kristensen says.