Attackers are increasingly exploiting common database vulnerabilities to leave behind code on thousands of sites, redirecting visitors to servers that host malicious downloads, security experts warned last week.
The attacks, which apparently started at the beginning of April, attempt to use any field on a Web site that accepts user input to execute commands on the database that stores the site's information. Since most databases use some variant of the structured query language (SQL), the attack is known as SQL injection.
In the latest spate of compromises, unknown attackers used SQL injection techniques to create malicious
1.htm -- embedded in the
iframe, leading to another site that would attempt to install keylogging software by exploiting several different vulnerabilities.
"The exploits target Microsoft applications, specifically browsers not patched against the VML exploit MS07-004 as well as other applications," security firm Websense stated in a research note last week. "Ominously files named McAfee.htm and Yahoo.php are also called by
1.htm but are no longer active at the time of writing."
The most recent spate of SQL injection attacks resembles those that have occurred on and off over the past two years. In January 2007, the attacks gained notoriety when the Web site of Dolphin Stadium, the venue of that year's Superbowl, was compromised with a similar
iframe attack. Earlier this year, the Internet Storm Center, a network-threat monitoring group, warned that such attacks had once again risen in prominence. The ISC issued a warning on Thursday about the latest rounds of attacks.
In November 2007, a survey of Web site databases concluded that a half million were at risk of attack.
In its analysis of the attacks, the Shadowserver group predicted that SQL injection will likely become more popular.
"At the moment it appears that a small set of people are behind these attacks," the group said. "However, it most likely won't take too long for others to catch on and possibly conducting even more nefarious activities."
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos