SQL injections dominated malware in 2010, as Gumblar botnet named as 'the most significant malware development in years'

The number of IPS SQL injections increased substantially in the second quarter of 2010 following a downturn.

Cisco's global threat report for the second quarter of 2010 revealed that IPS SQL injection signature firings increased substantially in the period to coincide with outbreaks of SQL injection-compromised websites. It also claimed that Asprox SQL injection attacks made a reappearance in June of 2010, after nearly six months of inactivity.

Mary Landesman, senior security researcher at Cisco, told SC Magazine that this was one of the most interesting findings of the report, as web-based malware has increased and research showed that vulnerabilities in SQL servers were leading to compromised servers.

Landesman said: “SQL reappears in this period, but we can predict with some certainty where the next wave of SQL injections are coming from using our statistics.”

The report also found that 7.4 per cent of all web-based malware encounters in the first quarter of 2010 resulted from search engine queries, while nearly 90 per cent of all Asprox encounters in June of 2010 were the results of links in search engine results pages.

Asked how this figure was determined, and how it was so apparently low considering that a recent report by Barracuda Networks found that 69 per cent of Google links were malicious, with Bing, Twitter and Yahoo not far behind, Landesman explained that the data was collected on actual user clicks and not overall detections.

She said: “This is based on actual users who encountered malware and on actual events, you can do a search and count a theoretical risk, we are reporting on actual events and I see that as a high figure and the only one that tops it is Gumblar.

“You can have a SQL injection which is only one event yet it could be millions of sites that are affected overall. The 7.4 per cent figure is reflective of a very high number of websites, we see reports from Twitter, Facebook, web browsing and through email, there are different ways of accessing malicious content.”

The Gumblar ‘botnet' of compromised websites was first detected by ScanSafe, who were acquired by Cisco at the end of 2009, as a collection of websites being used to distribute web-based malware.

Asked if it was still active, Landesman called it ‘the most significant malware development in years'. She said: “We took notice of trusted websites and the themes on the website, and Gumblar took it to a new level with botnets of compromised websites.

“It attacks the site to give it total ownership and can do what the owner wants. The FTP credentials are compromised, malware has got to come from somewhere, one ‘bad' site hosts the malware and all ‘good' sites are outfitted with iFrames that are pointing to the ‘bad' sites and can neuter the attack.

“Now with Gumblar, once you have a backdoor you have a ‘good' site hosting malware and it puts more onuses on the owner of the ‘good' site to get it cleaned up and that is a very hard effort.”

Landesman also commented that a number of copycats of Gumblar have appeared, but while the number of websites being copied is becoming smaller, the overall number of attacks is increasing, and continues to rise at a high rate.

Sign up to our newsletters