Thousands Hit In Broad Web Hack

Discussion in 'other security issues & news' started by Franklin, Nov 8, 2008.

Thread Status:
Not open for further replies.
  1. Franklin

    Franklin Registered Member

    Joined:
    May 12, 2005
    Posts:
    2,517
    Location:
    West Aussie
    Computerworld Article
     
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The article makes reference to the Miami Dolphins website which was compromised in 2007. It was a shocking revelation at that time to learn that it wasn't necessary to frequent the "bad" sites of the back alleys of the internet to become infected. While compromising "trusted" sites was not a new phenomenon, it wasn't on a large scale by any means, and since then, the SQL injections, especially, have compromised thousands of similar "good" or "trusted" sites.

    Rather sensational fodder for the media. However, when examined closely, it becomes less dramatic as far as being a threat to those who take proper security measures.

    As mentioned in the articles, these attacks are in four stages, from the initial connecting to a compromised site, to the eventual downloading of malware on vulerable systems, without any user action:

    sql-route.gif

    Earlier this year, Shadowserver.org published a detailed description of how these types of exploits work.
    Note the reference to the World of WarCraft game -- also referenced in the Computerworld article-- suggesting links to the Chinese group mentioned.

    The Kaspersky article describes the malware as trojan downloaders and trojan droppers.

    Solutions for prevention include,
    • Disabling javascript - this negates the redirect in this exploit.

    • Keeping the system, browser (note one Firefox exploit), and plugins up to date on patches. Malware writers know that many people do not keep up to date, hence, as Kaspersky points out, one exploit uses the ActiveX vulnerability (MS08-053) which Microsoft released a patch for less than two months ago. I looked at the exploits described by shadowserver.org back in May and found MS06-014 which has been patched for more than two years! That current attacks would use such old -- yet tried and true -- exploits, tells you something.

    • Security measures to block the downloading of the trojan executables by remote code execution (drive-by download). In looking at what has been discussed in the other anti-malware software forum, I find at least 13 products that will provide protection against this type of attack.
    This type of attack is the easiest to protect against, IMO.

    Other References

    SQL Injection Worm on the Loose (UPDATED x2)
    http://isc.sans.org/diary.html?storyid=4393

    using iframes; difficulty in identifying if a Web site (Web server or database) is compromised
    http://isc.sans.org/diary.html?storyid=4439

    _______
    -rich
     
  3. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Where have they been? Asleep at the wheel? I reported several weeks ago to MIRT where that insidious AV 2009 fake exploit was being systematically and likely at random infilitrating servers where all a user need done was land on the page and Presto! here we go again.

    It's up to data center servers IMO to monitor their web hosting services so those exploits aren't sneaked into the websites with the web admins not having a clue untill an infection is reported with their IP/website address and hosting outfit notified that they been hacked.

    I went innocently looking for Northern Lights from a Google Search and on page #2 of a site was met with that exploit.

    Websites not monitored for that particular exploit by either the admin or hosting company are very easy prey for those auto-infect malware exploits, then once injected (PHP), their off to do that days list of open sites to infect.

    EASTER
     
Loading...
Thread Status:
Not open for further replies.