Slashdot Mirror
Relentless Web Attack Hard To Kill
ancientribe writes "The thousands of Web sites infected by a new widespread SQL injection attack during the past few days aren't necessarily in the clear after they remove the malicious code from their sites. Researchers from Kaspersky Lab have witnessed the attackers quickly reinfecting those same sites all over again. Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."
to fixing the hole? It's like fixing a car coolant leak by pouring more water in the radiator.
No colour or religion ever stopped the bullet from a gun
Kaspersky is so brilliant, it locks up every time I try to do anything with it.
Then again, my AVG hasn't updated properly all week...
No colour or religion ever stopped the bullet from a gun
Dammm,
Where's the "-1 fail"
An SQL query goes to a bar, walks up to a table and asks, "Mind if I join you?"
At the end of the day it's the problem of plugins...I mean, besides the fact that the website is being infected, it's the flaws and vulnerabilities of the ActiveX/Browser plugins that allow this kind of activity to be profitable.
Just yet another reason, besides bandwidth, to get Flashblock.
And install as few as browsers plugins/ActiveX as possible.
Why is it that when someone decides they have the karma to burn and make a "first post", someone else already posted something long and informative?
If you're going to waste the karma, at least do it right. Sheesh.
NoScript is one of the best ways to avoid viruses that are distributed from the web.
You're not supposed to run them at the same time. They fight for control and eventually stalemate. Uninstall AVG and reinstall Kaspersky, but by now you may have damaged your system configuration. Kaspersky is pretty brutal if it gets unhinged, but it's unstoppable if you get it configured correctly.
The dangers of knowledge trigger emotional distress in human beings.
SecureWorks: Can I have a copy of your super secret automated tool?
ChineseUnderground: No...
Secureworks... Announcing the fact that you're trying to covertly gain access to these tools rather defeats the point don't you think? It's like going into the ghetto with a sign on your back that says "Undercover Drug Officer". Secureworks, I see two possibilities for this level of stupidity; Management, and your researchers. If by some statistical fluke it was your researchers that had the idea of publicizing this... please have your researchers develop some street smarts and common sense. I don't mean this as a dig at you; This is professional advice... Get them out of the labs and back into the real world and do it now before you really embarass yourself. Now, the more likely answer is someone in management thought this would be a great opportunity for publicity. Shoot them... and use silver bullets. PHBs are notoriously hard to kill.
#fuckbeta #iamslashdot #dicemustdie
Can someone explain to me how websites get infected?
Oh, that's right, running ads and other shit from shady people (directly or indirectly).
I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.
Don't worry, your "-1 fail"® moderation is being applied at this moment. Thank you for using Slashdot©, please come again.
Should have mentioned: Kaspersky's on my work PC, and AVG on my home PC.
No colour or religion ever stopped the bullet from a gun
I develop web applications for a living right now and as someone who's only been in this game for a few months, this disgusts me. I already know how to prevent SQL injection with prepared statements. It's easy to do and requires no extra knowledge, so why doesn't everyone do this?
Comment removed based on user account deletion
Not really - but it would be ironic if it was
...AVG...
<mechanic>Well there's your problem.</mechanic>
"Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -Gene Spafford
We had this problem a few months back at work. Old but necessary asp web sites kept getting infected. It only took a few hours to install a reverse proxy with mod_security on EC2 and we were in the clear.
Full story on my blog:
http://guillaume.filion.org/blog/archives/2008/05/i_love_ec2_and_rightscale.php
"The toolkit is protected with a layer of digital rights management and appears to be sold mainly in China. "
this is why I don't believe in "Tusted" computing.
When software or hardware are used to take control of a computer away from that computer's owner bad things will happen.
(This post brought to you by Kapersky Labs. Not detecting SQL injection vulnerabilities on servers since 2003!)
Web2.0: I love when people Flickr my cuil and digg my boingboing until my google is reddit and I start to yahoo
Is it like Big Trouble in Little China, with the lightning ninjas and floating eye thing? Did they get Kurt Russel to help?
If so, that would be AWESOME.
sudo eat my shorts
Didn't you RTFA? This story is about how Kaspersky caught the attacks... :S
The dangers of knowledge trigger emotional distress in human beings.
It's a bloody SQL injection attack. I'd like to see your virus checker automatically rewrite your web application to use input filtering.
What these people need is a real web application instead of some self-built PHP script - not a virus scanner, whether free or expensive.
Maybe they were able to highjack the OP /. account using this exploit, who knows ?
And it would be a really good proof of concept : "look even Slashdotter with a 2-digit ID is powerless, you're doomed, so please by our products".
Do you know what an SQL injection attack is?
Clue: It's not something an antivirus can ever protect people from.
No sig today...
Did everyone miss the fact that the toolkit resposible includes some hefty DRM.
Where's the outrage?
Why aren't we demmanding an open source solution?
This is going to sound like a little bit of double speak but I'll remind you that Kaspersky found these attacks were happening. Also, they are studying the behavior. Furthermore, Kaspersky protects systems from nefarious things that attackers will do, regardless of how they get on the system. Nothing is perfect with Windows, but if you look at the options, Kaspersky is the best out there.
Now of course, if you want to insist that the attacks happen whether Kaspersky is running or not, you will be correct. But what you're not saying is how LIMITED the attackers are when trying to get past Kaspersky after they get on a system.
Noscript also helps, but isn't perfect either.
The dangers of knowledge trigger emotional distress in human beings.
Where's the "-1 fail"
In your heart, my friend. In your heart.
The enemies of Democracy are
Good point! We'll need a "-1 not funny" while you're at it, too!
I think you dropped this.
Amazing! You're telepathetic!
You can't take the sky from me.
"I'd like to see your virus checker automatically rewrite your web application to use input filtering."
Now that's an Anti-Virus software I'd pay for!
Spelling and Grammar errors have been added to this post for your enjoyment
What these people need is a real web application instead of some self-built PHP script - not a virus scanner, whether free or expensive.
Uh, this exploit is targeting ASP/MSSQL.
And to be fair, there are two attacks going on. #1 is getting the SQL on the server (which is impossible to detect unless your code is ok) and then there are the aftermath attacks that the SQL code launches when a browser executes Javascript when browsing, WHICH KASPERSKY PROTECTS YOU AGAINST.
Unless you run a website, you won't care about the first attack, and the second one you ARE protected against if you have a decent configuration.
The dangers of knowledge trigger emotional distress in human beings.
Sure! They can block users from nasty ol' Capitolist porn. But, do they keep users from attacking overseas networks? Noooooo.
Sorry. I'm in touch with my inner child today.
Having to work for a living is the root of all evil.
Comment removed based on user account deletion
Why do you say that? They patch ALMOST every hole within AT LEAST 8 years! http://tech.slashdot.org/article.pl?sid=08/11/12/199215 Sigh.
Having to work for a living is the root of all evil.
zsh% apt-cache search kaspersky
zsh%
So? Before you do free advertisement, do some more research: http://blogs.zdnet.com/security/?p=1516 They can't even protect their own sites ...
Your're right to publicise a good product that I also use and reccommend. However:
Most people that get caught by malware don't understand all these arcane details.
Most people use IE, (no noscript here..) and blindly click 'OK' when they cannot see the porn.
Bad web sites / pages don't just install viruses.*
http://xkcd.com/327/
I take every syllable that comes out of Eugene Spafford's mouth with a pound of salt. I speak as a Purdue Graduate and Security Professional.
I guess you need to have someone explain it...
"researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks"
I wish my job description sounded as exciting as this one.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
I think I understand it better than you do. The SQL injection is the tip of the iceburg.
You have your run of the mill garden variety SQL injection that can bypass security and get user passwords on a website, which GRANTED have little to do with anti-virus.
But the most robust and versatile attack using SQL injection is to gain access to visitor computers via Javascript executed trojan horses and malware being hosted in the databases. Kaspersky protects you from... the activity of those types of security risks.
No matter where malware comes from, suites like Kaspersky track and disable the aftermath of how bad stuff got on the internet.
SQL injection is just the method in which people bypass server security, but the RESULT is that people who haven't updated windows or who don't run a good anti-virus (ie: kaspersky instead of AVG) will possibly become infected with some really NASTY rogueware that was downloaded from reputed sources.
Chances are if you run Noscript, you allow these trusted websites, and therefore you could easily get pwned if the site in question suddenly becomes a launchpad for malware/spyware/trojans/keyloggers.
So perhaps that sheds some light on my original comment, which has been mod-bombed because mods don't think before they mod, and at times they tend to get overwhelmed to the noise from users who also forgot to think before responding.
Phase 1: Kaspersky can't protect you against, but the attack isn't directed at end users, only databases.
Phase 2: Kaspersky protects against all kinds of nasties that could be pushed onto your system by the original SQL injected/compromised website and that truly is what matters as a last and final line of defense.
The dangers of knowledge trigger emotional distress in human beings.
I keep seeing "SQL injection", but injection into what? PHP? ASP? Plesk? Something else? Specific scripts, or the language engine itself?
For example:
http://www.aqtronix.com/?PageID=99
Presto.. you're safe from sql injection
Governmnent Website Appears To Be Designed Stupid
Part of the Second American Revolution!
If you're going to show off, do it right.
Many continuous distributions are not normally distributed, and no discrete distributions are. So don't understand the 'especially if it is a continuous variable' part. Should be 'only if'.
He said the average, not the median. Sure, for a perfect normal distribution all 3 measures of central tendancy are the same - mean, median & mode. Of course, in real life this never happens.
So the other AC got it right...'fully half if even number' is only right interpretation for all cases.
Meanwhile, your point was?
Okay keep using Noscript. I don't have a problem with that, but be warned that you are not fully protected by Noscript when the website you TRUST is attacked by an exploit like SQL injection, because YOU TRUST THAT WEBSITE.
White-lists are better than no-lists, but they aren't perfect.
The dangers of knowledge trigger emotional distress in human beings.
...roughly half of them being below average, as the OP pointed out.
Thanks all for playing a rousing round of Pageant of Pedants.
I wonder how many of the malicious servers the injected SQL dumped the users into were hosted on McColo - and are thus now not available?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Seriously, SQL Injection is one of the simplest attack vectors to prevent. If you can't prevent SQL injection, you should not be allowed to write a web application.
Chinkies broked the web. :(
Okay, now that there is a black president you realized that being racist against blacks would be unpatriotic ... so now you go after Chinese instead?
I for one (don't) welcome our new sino-phobic first-posting anonymous-coward overlords...
My favorite quote doesn't fit into 120 characters. Now no one will like me.
You know, something just occurred to me. The biggest reason SQL injection attacks are so common is that SQL allows multiple commands per input line and allows you to comment out the rest of the line, neither of which is useful when called from a programming language (or really anywhere outside of dump/restore tools). If you built a custom SQL library that PHP/Perl/* linked into that would return an error and do nothing if it detects more than one command or a comment start character anywhere in a command, injection attacks would become dramatically harder, if not impossible. At best, an attacker would merely be able to change additional fields in a table that were not changed in the original query, a security flaw that is much less problematic than the more general case of injection attacks....
Check out my sci-fi/humor trilogy at PatriotsBooks.
NoScript is likely to protect you anyway
There's a browser safer than Firefox, it is Firefox, with NoScript
FlashBlock is handy, but not a security tool.
There's a browser safer than Firefox, it is Firefox, with NoScript
He's only half black. He's also half white.
PHP is just as vulnerable to SQL injection as ASP...I think he was speaking in generic terms.
The problem isn't in the scripting engine. The problem is bad code. You can put a bad developer in front of system you want, and he'll still write bad code.
Ride the skies
Can somebody clarify this article?? Wtf has SQL got to do with javascript??
And not only that - WHICH SQL server??
I'm guessing its a proprietary one made by a certain large company legendary for their crashware and cheezy interfaces but maybe thats unfair.
Who would know!! IT Journalism standards have dropped through the floor unbelievably.
Devil's advocate... once you have access to the database, you could have root. With root you could host the JS off in the rhubarb on the victim server, where it could be called from within rewritten field data wherever HTML would be expected. On sites like travelocity (one of the targeted websites) this could be anything from the CMS story/article fields to the ad banner code... sky is the limit and that also explains one possible avenue for repeat attacks, post-patch.
Therefore while in SOME CASES, Noscript keeps you safe -- it's not 100%.
The dangers of knowledge trigger emotional distress in human beings.
Neat idea, but this is MSSQL so you know that won't be the case by default. The number one reason people use MSSQL is so that businesses can support requirements from other online packages that drive websites as well as other functions... from hosting solutions to special funky elitist blackberry/email/IM/domain/remote access package type applications.
I worked for a place that was a Gold partner, and they had access to it all and very few of them really know what was under the hood in terms of security, protocols or potential problems. I mean these guys all used default settings.
Their reason for selling MSFT was to make money by delivering a value-added service, and while security always sort of played into things, they didn't have the people to make it happen really and that's one of the reasons I left... being overworked and under-appreciated.
And MSFT will pamper you if you're a Gold partner, until you have a real question... they give you a URL and smile... but the answer is never 100% what you want or need to know unless you know somebody who is an expert at the jargon, the design, the implementation and the focus behind the whole system... good luck!
So what you need to realize is that this company like most other MSFT customers, and there are so many, all want the same thing -- rich features. You can't possibly expect SQL packages to only allow one SQL call at a time. MSFT conforms to customers while limiting certain things, but you can't put Pandora back in the box. Now that it's allowed, it must be backwards compatible and therefore that could never happen.
Oh sure you could invent an attachment that interfaced with MSSQL to check against it, but then you'd have to open a channel to the other feature-ridden facets of each application. You would drive yourself nuts -- not to mention how long it would take to process your data, one call per line.
They'd find a work-around, IMHO.
No the best bet is to keep it simple. Use trusted products, and keep an eye on securityfocus for patches and exploits so you can catch stuff ahead of time.
MSSQL and all the supporting packages available is a huge system, really, and there are many different ways to create unexpected results (which is the cornerstone to any good exploit).
The dangers of knowledge trigger emotional distress in human beings.
Comment removed based on user account deletion
We're currently trying to upgrade a .NET 1.1 web application to .NET 3.5. I assure you that Microsoft didn't appear to have backward compatibility on their minds when they went from .NET 1.1 to .NET 2.0.
"I have never let my schooling interfere with my education." - Mark Twain
Why cant web dev languages (PHP/ASP/Java etc) and databases add language features to A.Make writing database driven web apps the RIGHT way easier than doing it the WRONG way and B.Sanitize database inputs to stop this rogue SQL before it gets run by the database?
Now that you mention it, isn't messing with DRM illegal circumvention?
The Chinese have turned our IP law against us!
Is this going to be another Tiger Woods? He was black, now he's half black, and if he does a good job in his first term, he'll somehow be asian...
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Are you insane? Write parameterized SQL for all your queries and this just won't happen - setting your name to ';-- drop table users;' will just result in funky display logic.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."
Secureworks needs to buy the tool to figure out how an SQL injection works? Come on, this sounds like just a plug for a vendor. Paying for the tool simply encourages more black market exploit trading rather than proper disclosure methods.
So supposedly patched servers are re-infected? Hint: don't use 'sa' as your password. Secondly, before you get all Gibsonian about "infiltrating the Chinese underground", stop, and think about what you're saying. You sound like a retard.
I want to delete my account but Slashdot doesn't allow it.
Well said. Prepared statements do not solve all problems. Malicious content can be inserted without inserting SQL.
In theory, there's no difference between theory and practice; in practice there is.
I do use parameterized SQL when it is convenient in the particular programming language I'm using. When it isn't, I'm religious about writing functions that do proper quoting of values and always using them for values that are not known to be numeric... in much the same way that I'm religious about casting numbers in PHP with (int) to ensure no non-numeric crap gets in where I'm expecting a number. Those are all fairly basic security measures that every PHP programmer should use with regularity.
I'm not talking about making changes to the SQL database to avoid fixing bugs or looking for bugs in my own code. Even if my code were known to be flawless and used only parameterized SQL, I would still want additional protection from these sorts of injection attacks at the database layer. Why? While the parameter hndling code might in theory be less likely to contain mistakes than hand-rolled code that does the same thing, if there were a bug in the shared code that does the quoting behind the scenes when inserting the parameters into the queries, it would be much more likely to get exploited because the same flaw would be shared across many more pieces of software, and so would be widely known (not to mention that it might be detectable with something as simple as a web server version string). As such, explicitly disallowing both "--" and ";" in queries would still be useful changes that would provide additional hardening even if nobody used any non-parameterized SQL at all.
Also, I didn't write every line of code that runs on my web server. There are third-party bits of code lurking. I try to keep them isolated into their own databases (with their own login credentials and locked down permissions) so that they can only harm themselves (and only to a limited degree), but that only limits the damage that they can cause, and not nearly as much as I'd like. Any extra layer of added security would be beneficial, IMHO.
Check out my sci-fi/humor trilogy at PatriotsBooks.
HEY! Show some respect for the elder! I'm sure Kaspersky was great at some point and the poor old man is just remembering the good old days ;)
Connection closed by foreign host.
Yes, you're right on the fact a targeted attack might inject on-site content which might be allowed by your whitelist, but this is an unlikely scenario, especially in mass attacks like these, because for the attacker is much more practical injecting a small, stealthy inclusion and host the real payload elsewhere, on a server in his full control where he can log the activity and/or mutate the code as needed. Furthermore, you can configure NoScript to execute plugin content (e.g. Flash) on demand (after clicking on a placeholder) on whitelisted sites as well, hugely reducing the attack surface even on trusted pages.
There's a browser safer than Firefox, it is Firefox, with NoScript
If you built a custom SQL library that PHP/Perl/* linked into that would return an error and do nothing if it detects more than one command or a comment start character anywhere in a command, injection attacks would become dramatically harder, if not impossible.
PHP's database drivers already kind-of work this way: they only run the first statement of a multi-statement query.
eg:
"SELECT * FROM foo; DROP TABLE foo"
Only the select statement will be passed to the database by the driver. The successive statements are quietly ignored.
Of course, this only protects against one class of injection attacks, and doesn't help if the first statement is targetted.
I'm inclined to agree. It's not like being asked to write a sorting algorithm that runs in constant time; it's simply not being a lazy moron. Maybe we need to develop a web programming language where string concatenation takes markedly more effort than adding proper parameters to a query.
PHP database connection drivers* will not allow you to execute two SQL statements in one call, effectively limiting the impact of injections to extending the SELECT rather than an INSERT.
Of course, this can still lead to the compromise of admin accounts if you write bad code (which unfortunately covers a lot of PHP code) and "manual" injection from there on.
*Well, I think it's the PHP drivers - it could be just the MySQL/PostgreSQL C drivers that do it. In any case, ASP/MSSQL combo is vulnerable whereas the PHP/MySQL one is not.
I take every syllable that comes out of Eugene Spafford's mouth with a pound of salt. I speak as a Purdue Graduate and Security Professional.
I take every post I read on /. with a grain of salt. I speak as a high school dropout and raging alcoholic.
Custom HOSTS files are more comprehensive, for one thing, and multiapplication as well as multiplatform for TCPIP.
(They are more comprehensive, in that you blockout bad sites before you can even be stricken by them, and if you can't go into the kitchen, you can't get burned because they cover more than just a single webbrowser, as in the case of NoScript (not a bad thing to have installed in FireFox though, I use it myself, in combination with WOT, FlashBlock, AdBlock Plus, & Perspectives .xpi security addons, no others))
Other browsers (all) like Opera &/or IE are even covered, along with email programs (really, any app that accesses the world-wide web, in fact).
A good custom HOSTS file is featured here and has a good writeup on how to use them as well as maintain them and why:
http://ashentech.com/index.php?topic=1391.msg11023#msg11023
It has a large HOSTS file attached there, updated today in fact (as to known reputable lists as regards known malware or malscript serving websites to block out) from:
STOPBADWARE.ORG
SPYBOT SEARCH AND DESTROY
DANCHO DANCHEV ZDNET SECURITY BLOG
HOSTS FILES FEATURED AT WIKIPEDIA
(All those sources, merged into 1 large 12mb sized HOSTS file (DNS Client service must be stopped to use it, & that saves CPU cycles, RAM, & other forms of I/O since you don't really need it on a single machine connected to the internet), updated regularly each week, fully alphabetized inside and repeat entries removed).
Open it in a text editor like notepad.exe and you will see it is all business, and to the point. Not much in the way of this custom HOSTS file having documentation in it but the URL above provides that as to how to use it for the most part.
The file also speeds you up (beyond its showing you how to speed up access to your favorite websites inside of it, by avoiding DNS calls alone and more or less acting as your own DNS server yourself, via the HOSTS file and possibly some registry hacks to 4 small entries that is very easy to do and the URL above gives accurate directions on how to do so and with the tools you need regedit.exe).
This HOSTS file does so, by blocking out every known adbanner server out there (and by not 'streaming in' yet more unneeded data from other servers for adbanners, as well as running their code burning CPU cycles on it (code that mind you may be compromised and house viruses and spywares, this has been happening the past 3 or 4 years now)) as well as secures you from reliable reputable sources, noted above.
Custom HOSTS files, while in combination with tools like:
NoScript in FireFox (only this browser unfortunately)
Opera's native ability to turn off javascript globally (and make exceptions by site no less via rightclicks on website pages)
Internet Options for IE (turn off javascript)
These, along with a good HOSTS file is an excellent start for an internet defense vs. infestors/infectors.
Supplement HOSTS & the tools noted above, and these:
A good software Firewall program (on that caps both inbound and outbound and notifies you of outbound calls especially)
A good hardware NAT true stateful packet inspecting "firewalling" router
Port filtering
Keeping your OS and apps + drivers patched
Do these things & use those tools, and, you have a better than not chance of staying safe online, if not never infected or compromised, and going faster online as well for a bonus - that's fairly certain.
There is more you need to do, so as hack registry and other configuration files, for really strong security online, but this setup noted is a decent start at least and very easy to implement.
A good overall security guide is here:
HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (& beyond):
htt
They definitely did intend to involve backwards compatibility, although you are correct in reminding us that MSFT did it wrong (as usual). That underscores my original point that they will try and keep things compatible, so they will not intentionally try and break a feature. MSFT has no qualms breaking a product's functionality, but they always resist trying to remove features.
Imagine proposing one-SQL-call-per-connection at a meeting and imagine how fast they would shut you down. "You mean to say that we could only have one call per connection? The door is that way."
The dangers of knowledge trigger emotional distress in human beings.
But couldn't you have some kind of option you could turn on in your connection string that only allows one call per connection? Enable that and you've added some security to your site, but not removed any features.
"I have never let my schooling interfere with my education." - Mark Twain