Ni hao! W3 0wn j00
SecurityWire reports on a massive-scale Chinese hacking campaign that has targeted hundreds of thousands of sites over the past ten days, exploiting weak ASP and PHP code to compromise MS SQL Server back-ends via complex SQL injection attacks.
The attackers are using simple search engine queries to find massive lists of ASP or PHP sites, for example, to determine injection parameters and then automating their attacks. They are taking advantage of functionality in Microsoft's SQL Server database server that enables multiple SQL statements to be sent in the same HTTP expression. Other databases such as MySQL or Postgres don't support this functionality.
[...]
The attack is a complicated SQL injection, said Jeremiah Grossman, a Web application security expert and chief technology officer of White Hat Security. Grossman said the injection is nearly a paragraph in size, and fully encoded, enabling it to elude intrusion detection systems. Part of it contains Chinese characters and a leet-treatment of the Chinese word for hello, ni hao (n1 ha0).
The SQL Injection exploit loops through database tables loading in malicious JavaScript everywhere it can, Grossman said, and ultimately infects browsers with malware via a Web page iFrame which loads content such as Trojans, from different hacker sites.
Grossman said he knows of one site loading a Trojan trying to steal World of Warcraft passwords. But, the real danger is that essentially these sites have been backdoored, and the payloads can be swapped out at any time.
"They're blindly tossing SQL injections at sites and getting a high success rate. They're upping the game," Grossman said. "This is a new level of sophistication."