Mesh networks may make SQL injection attacks more persistent

Massive website compromises using a technique known as SQL injection has long been a top security concern for Web developers and site owners. Now, the attacks may become harder to detect and prevent, according to one security firm's analysis.

Web security firm Armorize announced that it had detected a new type of mass SQL injection attack that uses a simple form of peer-to-peer networking to make the compromised network hard to take down. Historically, mass web attacks are simple: Code written in the structured query language (SQL) is sent to the back-end web database using a vulnerability in the site's code. When the security flaw is in a common application, the attack can compromise thousands of sites at the same time.

In the latest version of the attack, rather than injecting sites with a single static script that points visitor browsers to a handful of malicious download sites, the attackers create a dynamic script that sends visitors to a previously compromised Web server. The new technique makes blacklisting much harder, says Wayne Huang, president and chief technology officer of Armorize.

"We found that the infected websites form a big mesh -- everybody is injected with a malicious script that points to each other," says Huang. "Every infected Web site is serving as a redirector for one another. You can't blacklist anybody, because everyone is a redirector."

Blacklisting is a problem. Armorize found that, of a sample of 700 sites that belonged to a compromised mesh network, only 20 percent of the sites had been blacklisted by Google for attempting to upload malicious code to users. Another 10 percent of the sites were compromised previously by a different attack and were blacklisted because of that rogue behavior, the company said in a blog post describing their findings.

The company found that more than 20,000 sites from Alexa's top 1 million had the malicious script, "sidename.js" running on the server.

The current attack does have a weakness, points out Neil Daswani, co-founder and CTO of web anti-malware company Dasient. Cleaning up the malicious code from the infected sites will stop the code from being downloaded. Yet, that will only be true for a short while, he says.

"It will only be a matter of time before attacks like Sidename take on an even more resilient, peer-to-peer structure where infected sites source in malicious code from multiple additional infected sites so that an infected site will still serve drive-by-downloads even if one or more of the sites that code is being sourced in from cleaned up," Daswani says.

The attack underscores that site owners need to do better security analyses of their sites, says Thomas Kristensen, chief security officer for Secunia. Most companies, however, will not tackle remediating expensive vulnerabilities in their Web sites unless it is a priority from executives, he says.

"Even though a lot of geeks think that, well, we really need to do something about our security, unless it is financially backed, nothing is going to happen," Kristensen says.

Read more about network security in CSOonline's Network Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags firewallsmesh attacksapplicationssoftwareData Protection | Network Securitypeer-to-peer risksmesh networksdata protectionSQL injection attacksnetwork securitymass attackssecurity

More about GoogleSecunia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Robert Lemos

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place