Mass SQL injection attack targets Chinese Web sites

Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites, according to a security company in Taiwan.

Slideshow: SQL injections - What they are, how to stop them

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Web sites across China and Taiwan are being hit by a mass SQL injection attack that has implanted malware in thousands of Web sites, according to a security company in Taiwan.

Slideshow: SQL injections - What they are, how to stop them

First detected on May 13, the attack is coming from a server farm inside China, which has made no effort to hide its IP addresses, said Wayne Huang, chief executive officer of Armorize Technologies, in Taipei.

"The attack is ongoing, ... even if they can't successfully insert malware, they're killing lots of Web sites right now, because they're just brute-forcing every attack surface with SQL injection, and hence causing lots of permanent changes to the victim websites," Huang said.

In a SQL injection attack, an attacker attempts to exploit vulnerabilities in a Web site's database by entering SQL code in an entry field, such as a login. If successful, such an attack can give the attacker access to data on the database and the ability to run malicious code on the Web site.

A screenshot of a Web site belonging to the Mackay Memorial Hospital in Hsinchu, Taiwan, showed much of the content rendered unreadable, with words replaced by what appeared to be HTML tags.

Thousands of Web sites have been hit by the attack, he said, noting that 10,000 servers alone were infected by malware last Friday. Most of the affected servers are located in China, while some are located in Taiwan, Huang said.

Among the sites hit by the attack on Friday were Soufun, a real estate Web site, and Mycar168, a site for automobile enthusiasts.

The attackers aren't targeting a specific vulnerability. Instead they are using an automated SQL injection attack engine that can attack any Web site that uses SQL in some form, Huang said. The attack uses SQL injection to infect targeted Web sites with malware, which in turn exploits vulnerabilities in the browsers of those who visit the Web sites, he said.

Technical details of the malware, including the specific browser vulnerabilities exploited, were not immediately available.

Mass SQL injection attacks have increasingly become a security threat. In January, tens of thousands of PCs were infected by an automated SQL injection attack. That attack exploited a vulnerability in Microsoft's SQL Server.

The IDG News Service is a Network World affiliate.