'Mass Meshing' Attack Evades Google Scans
Discovered in January 2011, the new SQL injection variant, which security researchers are calling a mass meshing attack , combines a SQL injection attack coupled with a drive-by download.
While the exact mechanism of infection is still undetermined, it is likely due to automated injection via stolen FTP credentials or other backdoor mechanisms, according to Wayne Huang, chief technology officer at Armorize, who headed the research team that detected the new attack.
SQL injection attacks inject a large number of Web sites with malicious script or iFrame, typically without the users’ knowledge, which causes the browser to load from a malicious site.
In SQL injection attacks, the browser loads infected content from malicious redirectors, which are all registered and belong to the attacker. The redirectors are hence redirected to a single location that serves the attacking Java script.
While designed to silently infect users visiting a site, the presence of the injected code also enables security vendors to easily identify the malware and blacklist the domains, Huang said.
“For security vendors, it's easy. There may be tens of thousands or millions of injected Web sites, all injected with the same URLs. For security vendors, they see about a dozen URLs, which are all registered by the attacker,” Huang said. “Once you inject a piece of script into a Web site, the detection rate is going to be high.”
However, Huang said that the mass meshing attack takes SQL injection attacks up a notch because every injected Web site contains a redirector script in the root directory, which dynamically generates an iFrame to the exploit server and serves drive-by downloads.
Unlike SQL injection attacks, every redirector becomes an infected domain. The injected malicious script becomes a part of the Web pages content, indexed by Google and other search engines.
During a mass meshing attack, each site is injected with a static URL to a different infected Web site, making the number of URLs equivalent the number of infected sites. Despite carrying infected content, the domains of the URLs are treated as legitimate by traditional antivirus software, which makes detection more difficult and blacklisting with traditional security technology nearly impossible and prone to false positives.
“If you detect 20,000 injected Web sites, you’ll get 20,000 malicious URLs,” Huang said. “For security vendors it’s become very hard. Now it’s the same number as injected Web sites. You can’t blacklist all of these.”
In addition, the mass mesh infections are much less likely to be detected by Google’s safe browsing database, Huang said. Of 700 infected URL samples screened by Google, only 20 percent were flagged as malicious by the search giant, while 70 percent of the infected sites remained unflagged. Another 10 percent were either already flagged a long time ago or were flagged recently due to other compromises.
Security vendors that attempt to blacklist the domains face greater challenges because they’re adding innocent domains, which require constant monitoring so as not to create false positives, Huang said, adding, “The effect is, it’s going to make detection much more difficult.”