Three significant waves of SQL injection attacks appear to be under the control of the same source, according to one security researcher.
Roughly 80,000 Web sites in China, 67,000 in the U.S. and 40,000 in India remain compromised and under botnet control as a result of separate and ongoing SQL injection attacks. The highest infection point during the last three months reached into the millions at one point in China.
The SQL injection attacks have inserted malicious iFrames into legitimate Web sites in order to force visitors off them and onto dangerous malware-laden sites. Mary Landesman, senior security researcher at ScanSafe, says she believes these three waves of SQL injection attacks are likely the handiwork of the same attacker because of the similarity of the domain-name registration information and style of attack.
“It’s the thread of the domain names being used,” Landesman says. Seven of these “mal-domains” — a term coined by Landesman to describe domain names used solely to build Internet infrastructure to spread malware or otherwise cause harm — were registered under the same name and address (which are clearly bogus, being not more than gibberish).
These domain names are now apparently being farmed out across the world as part of the globally distinct attacks in China, U.S. and India.
In this case, the identified domain names were registered using bogus information provided to registrar Go Daddy, which Landesman says is “highly unusual,” since Go Daddy has a generally good reputation and attackers typically prefer “domain name providers that turn a blind eye.”
Ben Butler, director of network abuse at Go Daddy, acknowledges that totally gibberish domain-name registrations can be snuck into the system because it’s automated and not designed to prevent that. But Go Daddy maintains a round-the-clock security response to review information it receives about possible misuse of domain names (via e-mail, for instance, at email@example.com). Butler agrees that criminal abuse of domain names is a serious problem and every effort should be made to counter it.
In the big picture, the problem isn’t specific to any one domain-name registrar, it’s the way the domain-name registration system has evolved that invites such rampant abuse, Landesman says. “We have a system that allows people to provide completely bogus details about who they are,” she says.