SQL injection attack in 'third wave,' says IBM

SQL injections are among the most common Web attacks, but third wave more resistant to traditional security measures

A SQL injection attack that has affected at least a half-million Web sites has entered a "third wave" that's more resistant than previous versions to traditional security measures, according to IBM security researchers.

"I've been tracking SQL injections for the last five or six years. This is some of the most intricate obfuscation I've ever seen," says David Dewey, research manager for the X-Force technology at IBM's Internet Security Systems division.

A SQL injection is an attack against a database-driven Web site in which the hacker executes unauthorized SQL commands by taking advantage of insecure code on systems connected to the Internet.

When Dewey talks about obfuscation, he's referring to hackers hiding attacks behind seemingly valid functionality. The attacks evolve as hackers change the SQL commands used to accomplish their goals, but the result is the same.

SQL injections are among the most common Web attacks, partly because a hacker needs little beyond a Web browser and knowledge of SQL queries. These most recent attacks, however, are "extremely complex" and hard to detect until it's too late, Dewey says.

Hackers are randomly targeting IP addresses throughout the world, looking for any Web site that would accept such an injection, Dewey says. Many successful, widely trusted retail Web sites are being affected. Internet surfers who navigate to infected sites are redirected to "exploitation sites" that simply look broken, with error messages and missing content. The users then are attacked with malware and added to a growing botnet, he says.

It happens so fast there's no way to avoid it. "It's the speed of light," Dewey says. The SQL injections began on a small scale in January, he says. In April, hackers modified their commands to evade security measures, and the number of attacks went "through the roof," he adds.

Less than two weeks ago, IBM researchers found the latest version, which Dewey calls the third wave. While the new version of the attack is designed to sidestep security measures put in place for the second wave, once a Web site has been hit it's pretty obvious. "This thing does not try to be sneaky," he says. "It basically tries to obliterate all of your database records and inject its own content into all of your database records." Back-end data is destroyed, whether it be customer accounts, or something simple, like the content of a blog.

Autoweb, a UK-based advertising and marketing site victimized by a recent SQL injection, recovered only after a series of countermeasures, from blocking the Chinese IP addresses where the attacks originated, to finding a developer capable of fixing a vulnerability in its Web application.

The X-Force team at IBM recently made some changes in how it detects SQL injections, changes that allowed its technology to find the latest attacks, Dewey says. Numerous other vendors are releasing updates every week to combat the problem, he notes. "With our protection, they haven't ever evaded us," he says, "so far as we know."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Jon Brodkin

Network World
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Aysha Strobbe

Microsoft Office 365/HP Spectre x360

Microsoft Office continues to make a student’s life that little bit easier by offering reliable, easy to use, time-saving functionality, while continuing to develop new features that further enhance what is already a formidable collection of applications

Michael Hargreaves

Microsoft Office 365/Dell XPS 15 2-in-1

I’d recommend a Dell XPS 15 2-in-1 and the new Windows 10 to anyone who needs to get serious work done (before you kick back on your couch with your favourite Netflix show.)

Maryellen Rose George

Brother PT-P750W

It’s useful for office tasks as well as pragmatic labelling of equipment and storage – just don’t get too excited and label everything in sight!

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?