Mass Injection Compromises More than Twenty-Thousand Web Sites

Discussion in 'other security issues & news' started by Thankful, Jun 3, 2009.

Thread Status:
Not open for further replies.
  1. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,736
    Location:
    New York City
  2. optigrab

    optigrab Registered Member

    Joined:
    Nov 6, 2002
    Posts:
    624
    Location:
    Brooklyn/NYC USA
    This is bad. Thank the maker I use Sandboxie. I tell you, my understanding of infection vectors is more than a couple of years behind the times. :doubt:
     
    Last edited: Jun 4, 2009
  3. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    This Websense article is a very instructive one for security-minded people to study.

    First, as with many such articles that give quite (seemingly) startling statistics, it is picked up by other news organizations (guaranteed to attract lots of readers):


    Well, the number of sites seems to have increased since these articles are a couple of days later (Websense appeared May 29). It's the numbers, of course, that are supposed to impress us.

    But in another place on their site, Websense states that their ThreatSeeker™ Network
    "scans more than 40 million Web sites for malicious code every hour."

    Somehow 20 - 40,000 doesn't seem like a large percentage when viewed against the total survey.

    But on to the report. If we are looking for information about the mass injection attack and how we might be affected, thus, how we might protect against it, what do we learn from the Websense article:

    • First, javascript on the legitimate site triggers the redirection to an active exploit site. Turn off Javascript? But suppose the legitimate site you are visiting is one where you permit Javascript? Away you go to the exploit site.

    • Second, you can block the fake google-analytics domains, if you knew them. But this would be just a temporary bandaid, since there have been and still are many mass injection attacks that don't use this trick.

    • Third we learn that the exploit site has "various attacks" but no specifics. Websense gives a snippit of the code but they don't decipher it for us.

    • Fourth, a malicious file is run, but we don't know what that is.

    • Last, if you depend on AV, you are worried.
    However, never fear, help is near:

    There you are!

    Not too comforting if we are not one of their customers. So, we have to look elsewhere for more information. Searching for "mass injection attacks" brings up lots of sites and if you poke around you can find more thorough analyses.

    It turns out that this is just a variation on continuing code injected attacks, probably by SQL injection into legitimate sites whose servers have unpatched vulnerabilities. Note that the Register article quoted the Websense researcher about SQL yet Websense didn't elaborate on this in their own article.

    From other sources: The code in the injected legitimate site calls out to another site to load a javascript file which identifies the browser. If IE, it serves up old, patched exploits that target that browser. If not, then one of the current PDF exploits.

    So:

    If you use IE: if patched, nothing happens.

    If Firefox or Opera, by now with the PDF exploits being "old stuff"' you know that disabling the Reader Plug-in to keep the PDF file from loading in the browser nullifies the exploit. This applies also to IE if that browser is targeted with a PDF exploit.

    Finally, you have (or should have) your own protection against the resulting malware executables in a drive-by attack, should all else fail.

    CONCLUSION

    • Articles about attacks often focus mostly on the sensational aspects and don't give much useful information for zeroing in on the specifics so that you know exactly what you are protecting against.

    • This particular article seems to be an Alert for their customers, rather than a Research Report or White Paper which appear on another page of their site.

    • Spending time looking for other sources will give you better information. Sometimes you have to dig and follow lots of links, but you eventually get to the pertinent stuff.

    • Some of the articles may seem technical, but just look for what a script does, for example:

      Malicious “Stats” from 84.244.138.0
      http://blog.unmaskparasites.com/2009/04/02/malicious-stats-from-84-244-138-0/

      We see that the code in the legitimate page loads another javascript file: ga.js or stats.js
      (Note how the code can be copied for analysis, unlike the Websense article.)

      After awhile, you begin to pick up on what is going on behind the scenes in these attacks, and it becomes evident that they are not so difficult to protect against.

    ----
    rich
     
    Last edited: Jun 3, 2009
  4. Sully

    Sully Registered Member

    Joined:
    Dec 23, 2005
    Posts:
    3,719
    @Rmus, nice walk through of logic.

    About those .pdf attacks. If you have no plugin for .pdf, and you download the rogue .pdf, what happens if you view it in 3rd party like foxit?

    Sul.
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Sul.

    You can't tell whether the bad file PDF file exploits Adobe or Foxit. In both cases -- assuming an unpatched REader -- the exploit code will call out to download the malware, so a firewall that monitors outbound connections will catch the attempt. And in your case, Software Restriction Policies would block the attempted installation of the malware executable.

    You can keep up with the exploits for both:

    Foxit
    http://www.foxitsoftware.com/pdf/reader/security.htm

    Adobe Acrobat
    http://www.adobe.com/support/security/?securityadvisoryproduct=#acrobatwin&Submit=Go


    Here is one analysis of a PDF file exploiting Foxit:

    foxit-2pdfAnalysis.gif

    So you can't be sure about a PDF file unless you can analyze it.

    But the filenames for these in the exploits are suspicious, so normally one would question that, and also the source of the file. Hopefully one wouldn't open a PDF file received in an unsolicited email!

    ----
    rich
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,772
    Location:
    Texas
    Seems to me, the proprietors of compromised websites should also take proactive measures to protect users of their sites.

    It's a tall mountain to climb expecting all computer users to be knowledgeable in the nuances of security on the internet.

    Sensationalist headlines are certainly overdone especially when they are self serving and point the way to a product or service. However, information is for thought no matter how it is presented.

    It is up to individuals to make the decisions on how they proceed to protect information on their computers.

    It is up to the security minded users, many that pass through these forums, to help them in any way possible.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    For sure! How should they do this?

    Articles refer to the ease with which malware writers find ways to inject code into websites. How can proprietors discover these vulnerabilities?

    For example, could Wilders Security Forum be exploited with a code injection?

    If not, What do the proprietors here do to prevent this?

    EDIT: Rhetorical questions, for I'm not expecting any secrets to be revealed: just general ideas!

    thanks,

    rich
     
    Last edited: Jun 3, 2009
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    Hi Rich

    Excellent as always. Thanks for being here.

    Pete
     
  9. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,772
    Location:
    Texas
    The very same way all of us do. By using proactive thinking, using antimalware software, with the knowledge all software can be compromised and using sources to gather information.

    As you know, some very well known anti-malware software companies suffered some of these injection exploits recently. The only way they knew of the problem was the malware purveyors gloated over their accomplishment online. I imagine they check their sites more closely now.

    When SQL Injections Go Awry, Incident Case Study
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for the article!

    I think many people here focus on what happens if we encounter a compromised site, and don't think so much about web proprietors' responsibility to protect their sites.

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.