Thursday, May 15, 2008

Botnets with SQL Injection tools

Dan Goodin of The Register has a gem of a story about the life of a teenage botmaster and how he got busted by the feds. While this smells of a low hanging fruit conviction, it provides compelling insight into just how little skill a person needs to illegally turn a tidy profit by compromising users machines and committing fraudulent acts. It also begs the question of how much the people with some decent skills are making whom also TRY NOT to get caught.

Who knows some of them could be the same people clever enough to install SQL injection tools on bots as a copycat of the massive attacks going around. “The bots then Google for .asp pages with specific terms -- and then hit the sites found in the search return with SQL injection attacks, says Joe Stewart, director of malware research for SecureWorks”. Bill Pennington lays out the future of botnet attacks leveraging custom web application vulnerabilities like XSS and CSRF. Bigger potential that SQLi. Get ready everyone! This is going to be an interesting year.


Matt Presson said...

This is the reason why security needs to be applied throughout the SDLC. SQLi has been solved for years. In my opinion, there is no excuse for having such vulnerabilities in your software. Having such shows that you care little about your user/customer, and even less about their (potentially sensitive) data that you are processing.

Coding Insecurity

Jeremiah Grossman said...

@matt, its just the big challenge that all this vulnerable code is already out there in circulation and extremely time consuming and expensive to fix. That is even if the organization cares above the next feature.

Thijs said...

As far as i know, this is just a small issue, there is alot more out there, and alot more smart people out there that can do seious damage, if not already doing so. Problem is, they do NOT make mistakes. I'm still wondering when people start catching the big fishes out there...
And like you said, sql injection bots are already old news, I wouldn't know what would come next... I'm sure they will always find ways to do so.

Guess by then they're already gone.

But oh well, time will learn..

Anonymous said...

Doesn't sound much different than those damn RFI bots that constantly attack everyone's website with the "myweddingphotos" URL, or any other shells. I'm sure the potential for data loss is the same if not greater on those than SQL injections. As far as profits go I would assume that they could be in upwards of $100,000 but that is an estimate based upon the earnings of the less-skilled herders.