Scramble! Scramble! SQL injection – time for an alert?

Sadly, it would appear the recent SQL injection shenanigans [1] are continuing apace. Back in May, I took a look at a couple of weeks’ worth of data on the sites we had seen that had fallen victim to the injection attacks [2]. Since then things have definitely got worse – we have been seeing an increase in the number of victim sites. In fact, looking through our data for the first couple of weeks of June, we have been seeing an average of 150 new, victim domains each day. These include several well-recognized, global brands with a sprinkling of government sites.

Perhaps most depressing is the number of sites that have fallen victim to the attacks multiple times, after initial cleanup. In situations where we contact the owners of compromised sites, we always emphasize the importance not just removing the offending malicious code, but also ‘closing the hole’ to ensure the site is not hit again.

It is not so long ago that we had ‘outbreaks’ (remember the Bagle vs Netsky and Mydoom [3] days?). The raising of a threat variant to some form of alert status does not tend to happen nowadays, most likely due to the shift from distinct, specific threats to a broader, contiguous spectrum of undesirables. The concept of a ‘specific variant’ is, for the most part, meaningless today. Is this same trend becoming true for vulnerabilities as well?

Clearly there is a need for site administrators to be alerted about the threat SQL injection attacks currently pose – the topic may be old, but it is being widely used by attackers right now. The question is, how is the alert achieved? Current alerting and information dissemination mechanisms revolve around specific vulnerabilities and patches largely. They cope less successfully with broader problems such as “susceptibility to SQL injection” attacks.

Measuring the threat is always hard for web attacks. Reporting numbers of domains or URLs can be fairly meaningless. I think the only times people really get close to understanding the scale of an attack is when a very large site or one that is ‘close to home’ gets hit. These conditions are more than satisfied when looking through data related to recent SQL injection attacks. But looking across the various sites out there providing threat information, little can be found. A passing mention is included in the April 2008 monthly summary from US-CERT, but generally speaking, there is nothing to really hit home with site administrators. Without this, the work required to identify and fix the underlying problems in countless sites is unlikely to get the priority and scheduling of time it requires (and deserves).