Wednesday, January 9, 2008
SQL Injection worm/bot?
I was reading at SANS ISC diary about mass compromises by SQL Injection. It seems to be something automated, maybe a botnet or even a worm. What kind of automated threat this is isn't really what matters here. The most important fact here is that we are now seeing SQL Injection attacks being used by malware. This is really interesting news. It shows that those old vulnerabilities on Operating Systems and/or services are not the only way to do that now. We were already seeing some cases of malware targeted to user-related technologies, like those using XSS vulnerabilities. Most of them require user interaction, like the user browsing to an infected website. But SQL Injection attacks don't require that. It's a clear situation that shows that attacks are "climbing the layers", as I said here. Some of the current cases are mixing the exploit of SQL Injection vulnerabilities with local vulnerabilities, but there is something that I haven't seen anyone mentioning that is also important to note.Today, almost all new applications are using some kind of SOA/Web 2.0 technology. Today it's quite common to find Web and applications servers that can go out to the Internet through HTTP/HTTPS (after all, they need to access other webservices out there). Wise firewall administrators will set their rules to allow access only to specified web servers, but we always knew that it's not what usually happens. So, rules like "My Servers -> Internet, port 80, accept" are starting to appear in several rulebases around world. Put this together with the rise of application based attacks worms and we will start to see pretty serious incidents around the world.So, take some time to review your firewall rulebase. Can your web and application servers be used by malware to spread an mass infection? Remember, good rules are "least privilege" rules. And don't forget to monitor your outgoing traffic and check it for attacks too.