The anatomy of these attacks are generally the same, they target .asp pages that are vulnerable to SQL Injection.

The 2008 attack looked like this, utilizing a cast statement and some hex to obfuscate the true injection string. The source of this attack was a group/botnet/worm called Asprox, and it was massively successful in compromising thousands of websites.

Again, in 2009, we started to see the same attack methodology used, the only difference was in the resulting payload. The source from this attack was again Asprox, having varied success this time because of people putting in countermeasures to the attack.

Now, in 2010, the same attack methodology is used, however some of the mechanics have changed. There is an obvious addition of l33t speak :) which is used to evade poorly written regex filtering. This new statement, once decoded, contains another cast statement, resulting in 2 layers of obfuscation. This attack is very similar to Asprox but uses slightly different techniques. Because of this, the attack is more popularly known as dnf666 getting its name from a url encoded inside.

The dnf666 attack has finally subdued as we are observing very few attacks. As you can see in the chart, increased activity started on 07-14-10 and ended on 08-17-10 with a peak at 08-09-10 with over 7000 attacks across our customer base.

This year due to the work of X-Force developer David Means, we have a specific signature for coverage named SQL_Injection_Declare_Exec with focus on key SQL statements. We still however encourage the broader coverage of the SQL_Injection signature for protection, as it covers far more then one method of injection.

SQL Injection is something that everyone who designs web applications needs to prepare for, code auditing and penetration testing is a must before you publish. It's one of the leading attack vectors because of its simplicity to perform, and its scalability to compromise large amounts of web servers across the Internet.