A network of hacked computers that went quiet after being used to infect tens of thousands of Web pages with malware in mid-2009 suddenly became active again in October, several security experts confirmed. The ASProx botnet is the delivery vehicle for what the ScanSafe security firm describes as a “potent Trojan cocktail consisting of backdoors, password stealers and downloaders.”

What is particularly disturbing about ASProx is its attack mechanism — SQL injection. Used by cybercriminals for more than 10 years, SQL injection is one of the oldest forms of Web application attacks around. Nevertheless, there has been an unusually large increase in the number of SQL injection attacks over the past two years.

SQL injection attacks exploit Web application coding flaws to compromise widely used back-end databases and steal important information or introduce malicious code. Although the methodology is well understood, SQL injection attacks in recent years have successfully compromised such sensitive Web sites as the Department of Homeland Security, the United Nations and the U.K. government, along with many other high-profile attacks against banks, security companies and retailers.

Easy Pickings?

According to the IBM X-Force research and development team, SQL injection attacks jumped 134 percent in 2008 and another 96 percent in the second quarter of 2009 to replace cross-site scripting as the predominant type of Web application threat. Security vendor Breach Security agrees that the use of SQL injection to plant malware on target Web sites is now the leading attack method for online criminals, with more than 500,000 successful such attacks last year.

“The purpose of these automated attacks is to deceive and redirect Web surfers to Web browser exploit toolkits,” said Kris Lamb, senior operations manager, X-Force Research and Development for IBM Internet Security Systems. “This is one of the oldest forms of mass attack still in existence today. It is staggering that we still see SQL injection attacks in widespread use without adequate patching almost 10 years after they were first disclosed. Cybercriminals target businesses because they provide an easy target to launch attacks against anyone that visits the Web.”

Web sites are often the Achilles' heel of corporate IT security because they provide a public-facing gateway to back-end networks and data. Unfortunately, many organizations are using off-the-shelf Web applications that are riddled with known vulnerabilities or custom applications that can have numerous unknown vulnerabilities that can’t be patched. According to the X-Force team, more than half of all vulnerabilities disclosed are related to Web applications, and of these more than 74 percent have no patch.

Simple but Serious

SQL injection is not a particularly sophisticated attack method, but its simplicity is the key to its prevalence. Any online application that uses a back-end SQL database server, accepts user input, and dynamically forms queries using that input is a potential target. It doesn’t matter if the database is Oracle, Microsoft Access, MS SQL Server, MySQL or Filemaker Pro, because all use SQL (structured query language) to manipulate and retrieve data.

Browser-based forms that accept input, such as log-in pages, are essentially executing code to pass information to the database server.  SQL injection attacks exploit poorly coded Web applications that allow SQL commands to be “injected” into the user input fields.  The right command can trick the Web application into running unauthorized queries against its back-end database, thus giving an attacker complete control of the database to steal or alter its contents.

To mitigate SQL injection attacks, organizations should use a layered approach to secure Web applications and their associated databases. The first layer is patching servers, databases, programming languages and operating systems on a regular basis. Web application firewalls and intrusion prevention software are additional layers of defense. Security experts also recommend performing thorough audits of Web sites and Web applications to discover SQL injection vulnerabilities.

For years, most organizations have concentrated their security efforts on the network perimeter. The sudden rise in SQL injection attacks on known vulnerabilities seems a clear indication that Web applications, which are easy to deploy and update, have not been subjected to the same rigorous testing more ubiquitous applications.

“The security industry has long been centered on network security, but the security focus is shifting,” said Frost & Sullivan research analyst Chris Rodriguez. “Organizations are recognizing Web applications and other custom applications are not secure and represent a dangerous point of attack.”