Latest SQL injection attack quickly spreads malicious JavaScript

By Scott M. Fulton, III | Published August 26, 2009, 6:27 PM

One of the more bizarre architectural elements of HTML that may still be excused with the phrase, "This behavior is by design," is the ability for a floating text frame using the <IFRAME> element to be rendered effectively invisible (or so miniature as to not be seen), and then to run JavaScript code. It's a trigger for a disaster; and pressing that trigger tens of thousands of times today is a particularly virulent SQL injection attack, the evidence of which can be detected through a simple Google search: Wednesday afternoon, Betanews discovered about 82,800 compromised pages appearing in Google's index just for one of the actual malicious triggers -- probably just a fraction of the actual number of cases. And there are multiple triggers.

The plague was first reported last Friday by security services provider ScanSafe. In an update filed today, its engineers report that as the number of infected sites grows, their geography becomes more pronounced instead of less. It's as if the source of the injection, whatever it is, is targeting Chinese sites.

A similar attack occurred in the spring of last year, once again appearing to target Chinese sites. Once infected, the sites deliver <IFRAME> code to their users that starts the download of executable binary code, and apparently even launches that code. Last May, security researchers discovered a new round of SQL injection attacks, also appearing to target China.

While some security software firms have posited the theory that malicious sources outside China are targeting that country in response to reports that it is supporting suppressions of ethnic-related uprisings, a more viable theory is that the latest wave -- like the May 2008 wave discovered by Armorize Technologies, a security firm with assets in China -- are also based in China as well.

Though the motivation behind this latest attack was not known, the most plausible theory presented for the motive in the May 2008 attack came from Trend Micro: Information that the malicious payload sent back to its host indicated that the host was hunting for data related to gaming, perhaps finding statistics about players' assets holdings in virtual worlds. Armed with that information, a malicious gamer could conceivably manipulate entire virtual economies.


BETACHECK

For more:

"SQL Injection Attacks by Example" by Steve Friedl, a brilliant but straightforward essay demonstrating exactly how a typical SQL injection attack is carried out.

"Using UrlScan" -- Documentation from Microsoft on setting up and running UrlScan 3.0 utility with IIS 7.0.


Comments

View comments by with a score of at least

I told you all that OffByOne was the Best Browser Ever™! Malicious JavaScript? No problem! JavaScript Pop-Ups? No Problem!

All you people with your fancy "extensions" and your "Web 2.0" are all missing out on the Real Internet™....you can only get it with OffByOne.

Use anything else and you *will* be sorry.

No, seriously. I'm not joking this time. Really. I'm not posting this from Firefox. *cough*

Score: 1

|

An off-by-one error (OBOE) is a logical error involving the discrete equivalent of a boundary condition. It often occurs in computer programming when an iterative loop iterates one time too many or too few.

Usually this problem arises when a programmer fails to take into account that a sequence starts at zero rather than one (as with array indices in many languages), or makes mistakes such as using "is less than or equal to" where "is less than" should have been used in a comparison.

This can also occur in a mathematical context.

http://en.wikipedia.org/wiki/Off-by-one_error

Who knew...??? ;)

Score: 0

|

*laughing*

My...that was a little ADHD...

Randomness FTW!

Score: 0

|

Damn, bowlingballreviews.com has been infected with this SQL Injection attack. Now what?

Score: 1

|

While your at it, better avoid the following sites:

barbielovesken.com

catlittertips.com

hairyknuckles.com

emptycans.com

betweenyourteeth.com

and

heehawreruns.com

Score: 0

|

Google Buzz: Another attempt to harness the content firehose

Similar to how Google successfully remolded RSS into a Google tool, the company now wants to remold Gmail into one big Google party

Success: Google's Nexus One shipping support line takes tech support questions

UPDATED Though the support line had been set up for shipping, it now appears Google personnel are happy to hear technical concerns.

Goodnight, moon: What I learned from a space shuttle

Carmi Levy | Wide Angle Zoom: Can the tech sector learn a few lessons from the space program? Certainly, if you believe in learning from someone else's mistakes.

Netflix to FCC: NBCU + Comcast could bypass net neutrality

Weaning itself from the post office as its main means of video transfer, Netflix would like someone to ensure the Internet remains just as unencumbered.

Rhapsody to become an independent company

RealNetworks and Viacom subsidiary MTV Networks have begun the process of spinning off music service Rhapsody into an independent company.

Nvidia debuts new dynamically-switched graphics card technology

Today, Nvidia announced that its Optimus technology for GPU switching will soon be available in a handful of Asus notebooks.

Google lowers 'unusually high' early termination fee on Nexus One

Google has lowered the Nexus One's early termination fees which were twice as high as the norm.

Netgear and Ericsson introduce a mobile broadband hotspot with a twist

It's a mobile broadband hotspot, but it's for use in the home.

Report: Streaming video drove 72% global increase in mobile data consumption

A new study says streaming video is "the single most influential factor driving the need for increased mobile network capacity."

Stymied by continuing Nexus One 3G issues, Google blames the environment

If you're still afflicted with the 3G flip-flop trouble, then you might consider moving. That appears to be the only suggestion Google can give for now.

Wolfram|Alpha makes a strong argument for virtual keyboards

"Answer engine" Wolfram|Alpha has updated its iPhone/iPod Touch app, harnessing the strength of the virtual keyboard.