So the bad guys discovered javascript could be injected into Microsoft databases via poorly written web applications. How did they make hay of that development?
First, the bad guys developed tools to search out SQL vulnerabilities in off-the-shelf and custom web applications being used by web sites all across the Internet. “Automated tools that search for SQL injection vulnerabilities are able to find these vulnerabilities in standard and custom web applications alike,” says IBM’s Stewart. Second, the bad guys began to instruct their botnets to inject malicious javascript into Microsoft databases, via flawed web applications, by the tens of thousands. “They figured out a way to scale it, and make it a broad attack,” says Barnett, of Breach Security. The javascript didn’t do anything terribly invasive. It simply embedded an infection, so that anyone clicking to the tainted webpage thereafter got a backdoor installed — effectively turning full control of the machine over to the intruder.
