SQL injection attack in 'third wave,' says IBM

SQL injections are among the most common Web attacks, but third wave more resistant to traditional security measures

A SQL injection attack that has affected at least a half-million Web sites has entered a "third wave" that's more resistant than previous versions to traditional security measures, according to IBM security researchers.

"I've been tracking SQL injections for the last five or six years. This is some of the most intricate obfuscation I've ever seen," says David Dewey, research manager for the X-Force technology at IBM's Internet Security Systems division.

A SQL injection is an attack against a database-driven Web site in which the hacker executes unauthorized SQL commands by taking advantage of insecure code on systems connected to the Internet.

When Dewey talks about obfuscation, he's referring to hackers hiding attacks behind seemingly valid functionality. The attacks evolve as hackers change the SQL commands used to accomplish their goals, but the result is the same.

SQL injections are among the most common Web attacks, partly because a hacker needs little beyond a Web browser and knowledge of SQL queries. These most recent attacks, however, are "extremely complex" and hard to detect until it's too late, Dewey says.

Hackers are randomly targeting IP addresses throughout the world, looking for any Web site that would accept such an injection, Dewey says. Many successful, widely trusted retail Web sites are being affected. Internet surfers who navigate to infected sites are redirected to "exploitation sites" that simply look broken, with error messages and missing content. The users then are attacked with malware and added to a growing botnet, he says.

It happens so fast there's no way to avoid it. "It's the speed of light," Dewey says. The SQL injections began on a small scale in January, he says. In April, hackers modified their commands to evade security measures, and the number of attacks went "through the roof," he adds.

Less than two weeks ago, IBM researchers found the latest version, which Dewey calls the third wave. While the new version of the attack is designed to sidestep security measures put in place for the second wave, once a Web site has been hit it's pretty obvious. "This thing does not try to be sneaky," he says. "It basically tries to obliterate all of your database records and inject its own content into all of your database records." Back-end data is destroyed, whether it be customer accounts, or something simple, like the content of a blog.

Autoweb, a UK-based advertising and marketing site victimized by a recent SQL injection, recovered only after a series of countermeasures, from blocking the Chinese IP addresses where the attacks originated, to finding a developer capable of fixing a vulnerability in its Web application.

The X-Force team at IBM recently made some changes in how it detects SQL injections, changes that allowed its technology to find the latest attacks, Dewey says. Numerous other vendors are releasing updates every week to combat the problem, he notes. "With our protection, they haven't ever evaded us," he says, "so far as we know."

Join the PC World newsletter!

Error: Please check your email address.

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jon Brodkin

Network World
Show Comments

Essentials

Lexar® JumpDrive® S57 USB 3.0 flash drive

Learn more >

Microsoft L5V-00027 Sculpt Ergonomic Keyboard Desktop

Learn more >

Mobile

Lexar® JumpDrive® S45 USB 3.0 flash drive 

Learn more >

Exec

Lexar® JumpDrive® C20c USB Type-C flash drive 

Learn more >

HD Pan/Tilt Wi-Fi Camera with Night Vision NC450

Learn more >

Audio-Technica ATH-ANC70 Noise Cancelling Headphones

Learn more >

Lexar® Professional 1800x microSDHC™/microSDXC™ UHS-II cards 

Learn more >

Budget

Back To Business Guide

Click for more ›

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?