I called this one the day after the first wave of mass SQL Injection attacks came out. I told Jeremiah that we would see botnets doing this attack shortly as it was much more efficient. A few weeks later and boom, Botnets performing mass SQL Injection.
The interesting things about these attacks so far is what they are actually doing. They are not attempting to steal data out of these databases directly, they are populating the pages with links that attempt to do drive by malware installs by exploiting browser vulnerabilities. It was pretty successful but SQL Injection is a vulnerability that is on the decline (and will decline even more after this attack). I begin thinking about vulnerabilities that would do the same thing but have a much broader reach.
Our good friends XSS and CSRF.
So here is the attack.
- Find a few permanent XSS vulnerabilities in some high traffic sites.
- Find some CRSF vulns in popular blog and forum software.
- Craft your payload.
- Profit!
So the bot software basically sits back and waits until the computer it is on visits a vulnerable site and then places it payload in the vulnerable spot. It could of course do this without you visiting a site with a little more coding to check if you are permanently logged in.
Considering the number of sites with XSS and CSRF this attack would dwarf the current SQL Injection attack happening today.