David Maciejak Fortinet
Guillaume Lovet Fortinet
download slides (PDF)
Looking back, the past year has seen botnet-powered SQL injection attacks reaching a rampant level, sparing no category of websites in their malicious code injection campaigns. With several millions of reported attempts from several hundreds of thousands of IP addresses, and successfully compromised websites ranging from MTV to the Canadian National Defence, few other threats can boast as high a profile.
Looking within, the threat's internals reveal a sophisticated technique and a steady evolution. As early as May 2008, a new Asprox botnet variant acquired an interesting - and previously unseen - behaviour: it started to look for SQL servers via search engines, such as Google. Once found, it would attempt to perform an SQL injection attack on those, following a simple, yet effective scenario: an HTTP Get request is issued as an attempt to inject some malicious Javascript in the content database, which is used to provide data front end to the final user. The blind requests may be repeated with varied parameters, effectively making this early version of the threat a 'brute force' attack.
This paper dissects the attack at a fairly technical level, elaborates on its evolution up to now, and discusses the protection and mitigation strategies relevant to its class.