IBM: SQL Injection Attacks Increasingly Threaten Public and Private Networks

Public-sector Web sites are among those vulnerable to construction of botnets.

by / December 16, 2009

Workplace security staffs must act fast to iron out kinks in their application code if they want to be fortified against infiltration -- hundreds of thousands of them hammer at those vulnerabilities every day, an unsettling number that will likely grow even bigger soon.

And if that number sounds too grim to be true, listen to IBM.

The IBM Internet Security Systems X-Force research and development team released a 2009 Mid-Year Trend and Risk report in August that revealed there were at least 250,000 SQL (Structured Query Language) injection attacks daily on Web sites around the world between January and June, with the number peaking at 700,000 in May. That's substantial and rapid growth over the number seen just months prior. Daily SQL injection attacks from September to December 2008 never reached 300,000.

In SQL attacks, a hacker with bad intent uses the Web to exploit a security vulnerability in the database layer of an application's code to corrupt the application and make it perform functions it's not supposed to do. He or she "injects" malicious code to make a program perform unauthorized SQL commands, allowing a hacker to hijack an application to conduct nefarious activity.

"We've seen the volume of attacks just go through the roof," said Tom Cross, manager of IBM X-Force Research. His team's sensors crawl the Web to detect malicious activity worldwide, and the results aren't comforting.

"Early in 2008, we were seeing less than 5,000 SQL injection attacks every day against our sensor network. Right around June of that year, the number started going up -- we saw 40,000 events per day in June, and then in December of last year, we saw around 200,000 events per day," he said. "And when as we went into this year, the number continued to go up, and by the summer of 2009, we were seeing around 600,000 events per day."

Government Security Practices Vary

These attacks seem to span legions of public- and private-sector Web sites globally, and there isn't a uniform security standard everyone follows.

"Some government organizations are extremely sophisticated and have lots of security budget and they do a very good job; other government organizations aren't that sophisticated and they're putting Web applications out there that are vulnerable, and they do get targeted," Cross said.

Dark Reading reported on Dec. 10 that a massive SQL injection attack had reached 132,000 sites, infecting Web sites with code that installed backdoor Trojans. The victimized sites were different sizes and from different countries, like Yemen.

"They want to target these Web sites that have a lot of viewers but are maybe run by people that aren't as sophisticated from a security standpoint," Cross said of the culprits. "So the number has gotten so large because they're trying to hit as many of these vulnerable sites as they can."

And they're often motivated by money.

"The fundamental motivation that these guys have is to control as many computers as possible, and once they build these botnets with these computers, they actually sell the bot-defective hosts on the black market," he said.

The cycle continues after the sale because the buyers have their own motivations.

"Some of them want to launch denial-of-service attacks, so they'll buy a large botnet for that purpose. Some of them may want to steal bank log-in credentials or credit card numbers, and so they'll buy bot-infected nodes and install a piece of malware that's designed to steal that kind of data."

But X-Force does have some positive news -- the number of disclosed code vulnerabilities (the holes in code that allow exploits to happen) -- has decreased slightly. The team analyzed and documented 3,240 new vulnerabilities in the first half of 2009,

an 8 percent decrease compared to the same period in 2008. That's also the lowest count they've found for the first half of the year in four years.

However, these are only holes in code that people know about and want to reveal. They don't take into account the ones that haven't been found or the ones that still are secret.

"One thing that's really important to note about those vulnerability statistics is that they only represent Web applications that are publicly available, where there's an organization that supports them -- they're open source or supplied by a company -- and patches are made available for users to download," Cross said. "We think most Web applications are custom developed, and so an organization that developed their own Web application isn't going to put out a vulnerability advisory when they find a vulnerability and repair it, so that doesn't show up in our statistics."

 

Hilton Collins

Hilton Collins is a former staff writer for Government Technology and Emergency Management magazines.