Infection Kits and Your Databases: Are You Serving Up Viruses?

During my regular presentations and speaking events on database security, I often discuss emerging threats and trends. It’s a constantly changing landscape, so these new threats are also constantly changing.

One that I have been discussing a bit recently are new virus infection distribution mechanisms that rely on a database serving up viruses to unsuspecting clients.

The way this type of attack works is via a web site that stores its data in a database. An attacker exploits a vulnerability in the web site that allows her to get direct access to the database (usually SQL Injection (PDF) or Cross-Site Scripting) and then drops a virus, or more likely a link to a virus into the database. The goal is for the web site to then serve up that link or virus to anyone who visits.

It’s a simple attack that can have devastating results. Nobody expects that when they visit a legitimate website that they could become a target of an attack. When it’s a popular website, the problem can become quite widespread within a very short period of time. It’s a scary scenario, but it is also real and happening today.

We recently saw just this kind of attack occur at BusinessWeek. An attacker exploited a SQL Injection vulnerability on their website and used it to embed java script into the web site’s backend database.

That java script would run on any client that connects to the BusinessWeek site and would attempt to download and run malware hosted on a server in Russia. You can read all about it on the net-security website.

It’s a great example of a new and devastatingly effective distribution mechanism for viruses or malware, and it all could have been prevented with more effective security measures. The website could have been designed with security in mind, and therefore proper input validation that could have blocked the SQL Injection (PDF) attempts.

A web application firewall could have been in place in front of the website, also blocking the SQL Injection attempt. The database could have been protected with a secure configuration so that the application didn’t have privileges to embed the java script, or so that the SQL Injection attempt could have been logged and kicked off a security alert, bringing in the troops to end the problem before it really got started.

Ideally, all these solutions would be in place. A layered defense is the only way to protect your valuable assets. This incident really demonstrates that the risk of an unprotected database is more then simple data theft. Your database could be serving up viruses and you (like the folks at BusinessWeek) may not even know it.

Regardless of whether it’s your data or your reputation, if you operate on the internet, you’d better protect what you value or someone will come and take it from you. To learn more about database security, visit our website at