mass sql injection

I mentioned yesterday a report about tens of thousands of websites being infected by some malware. SANS has an update which also points to the ModSecurity blog. Turns out this was some automated process that sought out SQL Injection-vulnerable sites, injected the script, and moved on. Impressive!

This kinda drives home some concepts.

1) Think of an attack today that seems unlikely or something that an attacker would do manually. Plan on that attack being automated someday. Yes, web app secs will say some things aren’t like that, like business process errors, but for the most part attacks can be automated, just like vuln scans can be automated. This can be done by a small number of scanners running, or even a rented botnet that can infect huge swaths of systems quickly. The next worm? We don’t need to worry about the next worm when botnets can act as one at will. Just give them a vulnerability, or now even a class of vulnerability that can be scanned for, and bam, overnight firestorm. And for every site attacked in the last few weeks, that can turn into hundreds of infected visitors to that site.

2) If you check that Google search for infected sites, you’ve just got an inventory of sites vulnerable to SQL Injection. Do a diff on them over the next few days, and you’ll filter out the sites with good response to incidents. Want to steal some info or do more targeted and nefarious things? There’s your target list…

3) Mitigations? Sure we can erect barriers in WAFs (ugh) to help block these things, but it all comes back down to secure coding, regular scans/audits, change control tripwires, and monitoring. What’s worse than being hit by this attack? Being hit and never knowing it.