Mass SQL Injection Storm Uses Search Engines And Automation

Security researchers monitoring mass SQL injection attacks warned the latest one may be nearing a million infected pages using a combination of automated tools with reconnaissance information gathered from search engines. This follows similar storms last year.

The “Lilupophilupop” SQL injection campaign has infected a little over a million URLs since it was first detected in early December, according to a post on the SANS Institute’s Internet Storm Centre. The security firm detected only 80 corrupted URLs when it first noticed the campaign. Mark Hofman, a handler at the SANS Institute’s Internet Storm, acknowledged the list contained duplicate URLs but regardless of the actual number of infected sites, the campaign was definitely growing.

Fake Flash page

Victims who land on the infected URLs are redirected to other sites and wind up on Lilupophilupop.com which displays an “adobeflash page” where they are encouraged to download what they think is an update to Adobe Flash, or to a fake antivirus site. The scam’s ultimate goal is to trick victims into paying for software or antivirus protection they do not need, and will likely cause more problems once installed.

“Sources of the attack vary, it is automated and spreading fairly rapidly,” Hofman wrote in an initial analysis of the attack.

This newest mass injection is similar to the LizaMoon attack, which was responsible for redirecting 1.5 million URLs to fake antivirus pages. Websites based in the Netherlands are the biggest victims of Lilupophilupop, followed by French sites, according to the SANS Institute. Sites with backends running on IIS, ASP or Microsoft SQL Server seem to be the primary target.

“If you want to find out if you have a problem just search for <script src=http://lilupophilupop.com/ in Google and use the site: parameter to home in on your domain,” Hofman said.

Attackers often use Google and other search engines to identify which Websites are vulnerable as part of their initial research, Rob Rachwald, director of security strategy at Imperva, told eWEEK. The searches may be as simple as looking for Websites that are running off-the-shelf content management systems or other software packages that have known vulnerabilities, such as phpMyAdmin, a popular Web-based front-end interface for managing SQL databases, he said. There are also certain parameters that can be used to find open ports or even what scripts are available on the server.

Security administrators can do what the attackers do and run queries with various technical parameters, also known as “Google Dorks”, on the Website to see what shows up in the search results, according to Rachwald. Once the problems on the server are exposed, they can then be cleaned up, according to Rachwald.

Bot assisted searches

Attackers often automate the search process using bots. A recent Imperva report showed that just 10 IP addresses were responsible for approximately 40 percent of SQL injection attacks. “With such numbers, blacklisting makes sense,” Rachwald said. Blacklisting alone will not stop SQL injection attacks, but it can reduce some of the sources of attack.

There are also automated SQL attack tools available, such as SQL map and Havij. These tools each have unique patterns and fingerprints that can be used to identify them. Administrators can identify different patterns of automated attacks by examining HTTP headers and application parameters and block the malicious tool from accessing the application at all.

“Code review is arduous and expensive, but it gets the problem fixed, hopefully for good,” said Rachwald.

Even if an organisation knows there are security flaws in the application, there may be several reasons as to why the flaws cannot be fixed immediately. The source code may not belong to the organisation or the developers may be backlogged and not able to make the fix. A Web application firewall will also help prevent attacks as it can be used to block attacks from exploiting the vulnerability in the application, according to Rachwald.