Relentless Web Attack Hard To Kill

ancientribe writes "The thousands of Web sites infected by a new widespread SQL injection attack during the past few days aren't necessarily in the clear after they remove the malicious code from their sites. Researchers from Kaspersky Lab have witnessed the attackers quickly reinfecting those same sites all over again. Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."

Whatever happened

[RaceProUK]

to fixing the hole? It's like fixing a car coolant leak by pouring more water in the radiator.

Re:Whatever happened

[compro01]

AFAICT, they are patching the hole, they're just finding even more holes of the same type.

It's the plugins...

[sam0737]

At the end of the day it's the problem of plugins...I mean, besides the fact that the website is being infected, it's the flaws and vulnerabilities of the ActiveX/Browser plugins that allow this kind of activity to be profitable.

Just yet another reason, besides bandwidth, to get Flashblock.

And install as few as browsers plugins/ActiveX as possible.

noscript

[Manfre]

NoScript is one of the best ways to avoid viruses that are distributed from the web.

Re:noscript

[Manfre]

I've been developing with ASP.NET (c#) since its initial beta and am very familiar with how it functions. This discussion would go a bit smoother if you would read a comment before replying to it. Noscript prevents javascript from loading on any site, until the site is explicitly given permission by the user. Approve your CRM domain(s), which will allow it to work properly. Then if it is compromised, noscript will block the javascript on the destination domain. If your server is compromised to the point where it is hosting exploits, then the IT staff needs to spend a bit more effort patching and locking things down. Noscript is not the only protection that should be used, but it greatly helps. It's like driving a car a little bit slower. You've still got a seatbelt to help keep you alive, but you should be less likely to hit something.

Re:noscript

[daveime]

Yes, we should stick to the old tried and true "overload the server and piss off the user" method of the 1990's.

Name: Dave
Country : Thailand
Telephone : 12345678
Date of Birth : 29/02/2000
[SUBMIT]

Oops' looks like some problems with your submission - please correct the following :-

Please supply your Firstname AND Surname ...

Name : Dave Mullen
[SUBMIT]

Oops' looks like some problems with your submission - please correct the following :-

You are from Thailand, where people don't always HAVE surnames - please just supply your Name ...

Name : Dave
[SUBMIT]

Oops' looks like some problems with your submission - please correct the following :-

Please supply a full telephone number with area code ...

Telephone : 0066 12345678
[SUBMIT]

Oops' looks like some problems with your submission - please correct the following :-

Country code should start with + ...

Telephone : +66 12345678
[SUBMIT]

Oops' looks like some problems with your submission - please correct the following :-

Please supply an area code ...

Telephone : +66 99 12345678
[SUBMIT]

Oops' looks like some problems with your submission - please correct the following :-

February 29th is not a valid date because 2000 is not a leap year.

BY WHICH TIME, *IF* THE USER IS STILL HERE, YOU HAVE THOROUGHLY PISSED HIM OFF, AND MADE NO LESS THAN 6 SUBMISSIONS TO THE SERVER FOR SOME CRAPPY VALIDATION THAT COULD HAVE ALL BEEN TRAPPED ON THE CLIENT SIDE.

If that's the web you want, then it's your choice I suppose.

Re:Kaspersky

[mfh]

Kaspersky is so brilliant, it locks up every time I try to do anything with it.

Then again, my AVG hasn't updated properly all week...

You're not supposed to run them at the same time. They fight for control and eventually stalemate. Uninstall AVG and reinstall Kaspersky, but by now you may have damaged your system configuration. Kaspersky is pretty brutal if it gets unhinged, but it's unstoppable if you get it configured correctly.

Infiltration

SecureWorks: Can I have a copy of your super secret automated tool?

ChineseUnderground: No...

Re:Infiltration

[Kent+Recal]

*** Joined #ChineseUnderground
<SecureWorks> Can I have a copy of your super secret automated tool?
*** Mao set mode +b *!*@secureworks.com
*** Kicked from #ChineseUnderground by Mao (No.)

(sorry, crapdot ate the brackets)

Infected Websites

[sexconker]

Can someone explain to me how websites get infected?

Oh, that's right, running ads and other shit from shady people (directly or indirectly).

I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.

Re:first post

[martinw89]

Don't worry, your "-1 fail"® moderation is being applied at this moment. Thank you for using Slashdot©, please come again.

This disgusts me

[77Punker]

I develop web applications for a living right now and as someone who's only been in this game for a few months, this disgusts me. I already know how to prevent SQL injection with prepared statements. It's easy to do and requires no extra knowledge, so why doesn't everyone do this?

Re:This disgusts me

[Rycross]

The problem is a frightening amount of training material on the web uses concatenated SQL strings to teach SQL. Pull up your average PHP/.Net/Java SQL tutorial and odds are that it will be concatenating strings. Throw that in with the fact that roughly half of the programmers reading that are going to be below average, and there you go.

Re:This disgusts me

[Pope]

I'd say fully half of all the programmers are going to be below average...

Re:This disgusts me

[77Punker]

I'd say fully half of them will be below median.

Re:This disgusts me

[corsec67]

Throw that in with the fact that roughly half of the programmers reading that are going to be below average

Um for anything that is approximately normally distributed,... half of the X are going to be below average. (Especially if it is a continuous variable and you use the median)

Re:This disgusts me

[NNKK]

You're right, you're no programmer. Go read up:

http://en.wikipedia.org/wiki/SQL_injection

Prepared (or parametrized) statements are an easy and absolute defense against SQL injection attacks. The OP is right, the fact that such attacks still succeed is disgusting and inexcusable.

Re:This disgusts me

[77Punker]

The more I think about it, the more I think your post should read

"...disgusting, inexcusable, and potentially hilarious."

Re:This disgusts me

[Emb3rz]

The idea of a SQL Injection attack is to pass a parameter in such a way that it changes the structure of the query itself. Typical beginner's SQL query:

sql = "SELECT * FROM Users WHERE Username = '" & Request.Form("Username") & "' AND Password = '" & Request.Form("Password") & "';"

This uses 'String Concatenation' to build a line of text from several smaller parts. The completed string is then, in this example executed by a database. A new query is dynamically created and executed based on the text passed to it. Thus, we are able to at this point change what query will be run. Form data:

Username = "Admin"
Password = "x' OR 'e' = 'e"

So when the string is being put together, we get:

SELECT * FROM Users WHERE Username = 'Admin' AND Password = 'x' OR 'e' = 'e';

Certainly, even with no programming experience, one can see that the letter E will always be equivalent to the letter E. Thus, any validation of the password will return a false positive.

Prepared statements avoid this whole deal by only allowing you to pass parameters. The query is already set in stone. You cannot change how it basically works, only its criteria / filtering / etc. A prepared statement would execute basically:

SELECT * FROM Users WHERE Username = "Admin" AND Password = "x' OR 'e' = 'e";

Since the query does not change dynamically when it's executed as a prepared statement, you can't add your logical 'OR' operator after having broken out of your parameter. You just get no rows returned, as should be the case.

Re:This disgusts me

[77Punker]

Kaspersky can't figure it out because a virus scanner can't fix a web application. Fixing SQL injections is beyond their realm.

Travelocity can't figure it out because their developers must suck. Travelocity is well-known because they have a decent service, not because the software that runs the service is really great software.

Re:This disgusts me

[delirium28]

They're most likely trying to find a solution that doesn't require them to revisit and re-code a large portion of their site. They most likely want a band-aid solution rather than fix the underlying problem.

Re:This disgusts me

[Emb3rz]

You're working off of the false assumption that security is about knowledge.

We know abundantly well exactly how SQL injection attacks occur, and we also have many tools at our disposal to -absolutely- prevent them. What we don't have is the cooperation or effort from programmers on a widespread basis. Many are simply too lazy to research and implement reasonable security measures. It's easier to pretend that there are no ways whatsoever that anything can go wrong with your code because when you tested it it worked right. This willfull turning a blind eye to well-established security caveats is what has given us this terrible and prevalent security problem. It's easier to write code that checks nothing, it's quicker to do so, and it requires less think-juice on the part of the lazy programmer.

Re:This disgusts me

[CodeBuster]

Throw that in with the fact that roughly half of the programmers reading that are going to be below average, and there you go.

That is what comes of outsourcing and offshoring especially, but there are still managers out there who refuse to acknowledge what I like to call the Iron Law of Software Development or more generally the Project Triangle (good, fast, cheap...pick two).

Re:This disgusts me

[Rycross]

Languages can make bad code harder or easier to write however. Its perfectly acceptable to blame a language if it makes it hard to do things the "right way." I'm not much of a PHP hater, but a lot of stuff that they've done with the language makes me roll my eyes.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Kaspersky

[martinw89]

...AVG...

<mechanic>Well there's your problem.</mechanic>

Re:Kaspersky

"Securing an environment of Windows platforms from abuse - external or internal - is akin to trying to install sprinklers in a fireworks factory where smoking on the job is permitted." -Gene Spafford

Install a proxy

[gfilion]

We had this problem a few months back at work. Old but necessary asp web sites kept getting infected. It only took a few hours to install a reverse proxy with mod_security on EC2 and we were in the clear.

Full story on my blog:
http://guillaume.filion.org/blog/archives/2008/05/i_love_ec2_and_rightscale.php

Re:Install a proxy

[merreborn]

mod_security is a reactive security measure. It's blacklist based, which makes the classic error of attempting to "enumerate badness".

While it's great if you've identified an existing threat to an application you cannot properly secure, it does nothing to protect you against future attacks using less obvious techniques.

mod_security alone is not an adequate solution. It's still necessary to proactively write secure applications in the first place, which means making sure you're never allowing raw, unfiltered/unescaped user data into places where it shouldn't go.

yet another ugly side of DRM

[Aoet_325]

"The toolkit is protected with a layer of digital rights management and appears to be sold mainly in China. "

this is why I don't believe in "Tusted" computing.
When software or hardware are used to take control of a computer away from that computer's owner bad things will happen.

Chinese underground

[AragornSonOfArathorn]

Is it like Big Trouble in Little China, with the lightning ninjas and floating eye thing? Did they get Kurt Russel to help?

If so, that would be AWESOME.

Re:Kaspersky

[Arancaytar]

It's a bloody SQL injection attack. I'd like to see your virus checker automatically rewrite your web application to use input filtering.

What these people need is a real web application instead of some self-built PHP script - not a virus scanner, whether free or expensive.

No DRM trolls?

[genner]

Did everyone miss the fact that the toolkit resposible includes some hefty DRM.

Where's the outrage?
Why aren't we demmanding an open source solution?

Big Picture

[mfh]

It's a bloody SQL injection attack. I'd like to see your virus checker automatically rewrite your web application to use input filtering.

This is going to sound like a little bit of double speak but I'll remind you that Kaspersky found these attacks were happening. Also, they are studying the behavior. Furthermore, Kaspersky protects systems from nefarious things that attackers will do, regardless of how they get on the system. Nothing is perfect with Windows, but if you look at the options, Kaspersky is the best out there.

Now of course, if you want to insist that the attacks happen whether Kaspersky is running or not, you will be correct. But what you're not saying is how LIMITED the attackers are when trying to get past Kaspersky after they get on a system.

Noscript also helps, but isn't perfect either.

Re:Big Picture

[Arancaytar]

Sorry, I see we're talking about different user groups.

From the user perspective a virus scanner (and NoScript) will indeed protect you from installing malware on your computer, which may be downloaded from a hijacked website (XSS is a more common attack vector for that, but I've had an Invision forum hijacked via SQL injection too).

I was speaking more from the perspective of the web admin whose site gets defaced, who won't get around some lessons on secure input handling. ;)

Re:RTFA

[Bassman59]

Didn't you RTFA?

You must be new here, in spite of that two-digit user ID!

Comment removed

[account_deleted]

Comment removed based on user account deletion

No kaspersky for me

[jonaskoelker]

zsh% apt-cache search kaspersky
zsh%

:(

No, it's not.

[Bearhouse]

Your're right to publicise a good product that I also use and reccommend. However:

Most people that get caught by malware don't understand all these arcane details.

Most people use IE, (no noscript here..) and blindly click 'OK' when they cannot see the porn.

Bad web sites / pages don't just install viruses.*

Re:RTFA

You must be new here, in spite of that two-digit user ID

He probably is new. I saw Slashdot UID 56 for sale on E-Bay about a month ago for 17 cents or 4 sticks of Trident.

Re:Kaspersky

[mordred99]

I take every syllable that comes out of Eugene Spafford's mouth with a pound of salt. I speak as a Purdue Graduate and Security Professional.

What a job description.

[mapkinase]

"researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks"

I wish my job description sounded as exciting as this one.

Trust

[mfh]

Okay keep using Noscript. I don't have a problem with that, but be warned that you are not fully protected by Noscript when the website you TRUST is attacked by an exploit like SQL injection, because YOU TRUST THAT WEBSITE.

White-lists are better than no-lists, but they aren't perfect.

McColo?

[Ungrounded+Lightning]

I wonder how many of the malicious servers the injected SQL dumped the users into were hosted on McColo - and are thus now not available?

Re:Chinks get their Interwebs on!

[Rick+Bentley]

Chinkies broked the web. :(

Okay, now that there is a black president you realized that being racist against blacks would be unpatriotic ... so now you go after Chinese instead?

I for one (don't) welcome our new sino-phobic first-posting anonymous-coward overlords...

Don't rely on FlashBlock for security...

[Giorgio+Maone]

FlashBlock is handy, but not a security tool.

Re:Kaspersky

[vishbar]

PHP is just as vulnerable to SQL injection as ASP...I think he was speaking in generic terms.

The problem isn't in the scripting engine. The problem is bad code. You can put a bad developer in front of system you want, and he'll still write bad code.

Re:Kaspersky

[Fulcrum+of+Evil]

Are you insane? Write parameterized SQL for all your queries and this just won't happen - setting your name to ';-- drop table users;' will just result in funky display logic.