Viral Scareware Infects Four Million Websites 71
oxide7 writes "A fast-spreading SQL injection attack that illegally peddles a bogus scareware has been breaking anti-virus barriers and compromising millions of websites, besides defrauding unsuspecting victims. The news of this attack was brought out by Websense Security Labs in its blog last week. Websense said its Threatseeker Network identified a new malicious mass-injection campaign which it named LizaMoon."
Re: (Score:2)
"OWER"?
Stupid (Score:2)
Didn't we already see this article?
Anyways, as said before, there's plenty of guides (including by the NSA) on how to not suffer cross-scripting attacks. That anyone still suffers from them is not through a lack of resources.
Re:Stupid (Score:4, Insightful)
Only people who've been thoroughly windows-indoctrinated could use terminology like that -- it actually means nothing at all, except "we don't know what we're doing here".
Re: (Score:1)
Not to mention it is factually inaccurate in this case, the fake AV that is pushed here is not installed via an exploit, it is installed by the user after being redirected to a site showing false warnings. Moreso, 24 out of 42 of the scanners on virustotal detect it at the moment.
Re: (Score:3)
Moreso, 24 out of 42 of the scanners on virustotal detect it at the moment.
Maybe the fake AV itself, but yesterday I downloaded (using wget, of course) the script file that redirects you to the malware site, and sent it to virustotal. Zero detections.
Re: (Score:3)
I'd interpret it as "our firewall AV isn't stopping it", which is fine because AV software isn't a generic solution but one that detects specific, well-defined viruses. And when you shove it onto a firewall, it can't do much checking if you don't want horrible packet loss.
What it does mean, though, is that whoever wrote the article doesn't use NIDS or HIDS (the former will detect cross-scripting attacks, the latter will detect changes to files that aren't supposed to change) but relies entirely on anti-viru
Re: (Score:2)
Re:Stupid (Score:5, Funny)
Re: (Score:1)
Re: (Score:2)
Hey, don't knock it! In a hundred years time, that could be the best-selling soft drink for electronics!
Re: (Score:2)
Right now I'm still looking for some replacement smoke for my CPU.
Re: (Score:2)
People often complain that American children show a lack of interest in engineering, but you rarely hear about our serious metaphysical deficit.
Re: (Score:2)
Everything is Symantecs fault. Everything. Its some kind of computing rule or something.
Re: (Score:2)
security boxes can scan at very high (near wire) rates, these days.
DPI is all the rage and fast packet i/o with filtering and even on the fly modification is do-able.
sad to say.
Re: (Score:2)
Its like "counterhacking the proxy" or "wardialing the WEP key". Just because you dont know what it means doesnt mean the rest of us arent on board.
Re: (Score:2)
Dont be hatin cause I can create VB GUI interfaces to track the haxxers.
Re:Stupid (Score:5, Informative)
Anyways, as said before, there's plenty of guides (including by the NSA) on how to not suffer cross-scripting attacks. That anyone still suffers from them is not through a lack of resources.
SQL injections and XSS attacks aren't necessarily related.
XSS attacks require you to push the parameters in the URL itself. If an attacker modifies the SQL, they don't need to change anything, you just visit the site, and they'd change it 'server side' instead. So its much more dangerous, and there's no real way for the user to avoid it - except of course turning off scripts I would assume. And being careful about links.
Re: (Score:1)
XSS attacks require you to push the parameters in the URL itself.
That's not actually true. Reflected XSS attacks are sometimes exploited through a URL string element (post data can also work). Persisted XSS attacks occur when user provided data is stored on the server and then later rendered in HTML without being properly encoded first.
It's entirely possible (and not all that uncommon) for an attack to rely on both an XSS issue and a SQL injection issue. Say there's some popular CMS that has a SQL injection attack that can be exploited through a form post if the user mak
Original post... (Score:4, Informative)
more information (Score:2, Interesting)
which sites are vulnerable? are there any more precise information than "outdated CMS and blog systems" ??
ORDER BY popularity DESC LIMIT 10 (Score:2)
4 million sites infected and you want it to list them for you? Wow...
I'd at least like to know a few of the most popular ones. Or in SQL: SELECT host FROM infected_sites ORDER BY popularity DESC LIMIT 10
Re: (Score:1)
Shouldn't that be something like this?
SELECT host FROM infected_sites ORDER BY popularity DESC LIMIT 10; DROP TABLE infected_sites; --
Cool it, Bobby (Score:2)
Re: (Score:1)
Re:more information (Score:5, Informative)
which sites are vulnerable? are there any more precise information than "outdated CMS and blog systems" ??
As others have noted, the original article [websense.com] is much more informative.
First, only MS SQL Server seems to be affected. This isn't because of a flaw in SQL Server, but because the injection seems only to work on a web app that's designed to run this DBMS in the back end, The article authors note that they don't know which application this is, however. This seems a little surprising, given that they should be able to spot the commonality between all the infected sites.
Second, to determine whether your server is affected, just check to see whether your site now has an URL like http://domainname/ur.php [domainname]. If it does, you're infected. If you run on Linux and Apache, it looks like you're safe from this particular attack.
Re:more information (Score:4, Insightful)
First, only MS SQL Server seems to be affected. This isn't because of a flaw in SQL Server
Strictly speaking, that is true. However, SQL Server supports a multiple statement binding syntax that makes it uniquely vulnerable to these kinds of injections in poorly written programs - i.e. you can start a new SQL statement anywhere simply by injecting a semicolon followed by whatever SQL you like.
That is why if a SQL injection attack ever affects tens of thousands of sites, it is inevitably a poorly written SQL Server application. If I were Microsoft, I would add an option to turn the traditional syntax off, deprecate it for future use, and require block syntax to process multiple statements. That doesn't eliminate the problem, but it greatly reduces the possible attack surface, and the severity of the attacks that do get through.
Re: (Score:2)
Bobby Tables' mom [xkcd.com] strikes again?
Simpsons (Score:2)
And to be honest, the mindset behind this new breed of convoluted scam methods to trick customers out of money (such as the one in TFA) often seem to be dreamt up by someone whose grip on reality is based in the world of the Simpsons et al, rather than by dealing with real human beings.
Dupe (Score:2)
What kind of sites??? (Score:2)
I'm getting "please install this update for bank X" for several months now and they usually link to a site that uses Joomla.
I'm reading about this super SQL injection for several days now, but what I would like to know is what kind of sites are targeted this time. Who should be worried? Who should spend some extra time upgrading or hardening their sites?
sites using Microsoft SQL Server 2003/2005 (Score:1)
News? (Score:2)
I have been dealing with the results of this for nearly two weeks. Whilst it is nice to hear the background story to it, I am puzzled why it has made /. the BBC, The Register and a load of other less useful websites. Why is it big news today?
If anyone has to deal with a PC that has this, the fix is nice and easy.
Copy everything off the users desktop etc - it does not seem to infect stuff
Delete the user profile, reboot and let them log in.
I am sure many people here will feel that the best way not to get
Comment removed (Score:5, Insightful)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
Wow. Troll much? Clearly you are not happy and you choose to attack Linux to vent your frustration with your own operating system. How are those antivirus updates going?
The article you show as an example of the security failings of Linux is laughable. The "virus" they create must be downloaded, saved to the desktop and then executed. Hardly virus like behavior. And even then it only gains access to the user's environment. To get it to do anything malicious to the OS, you must login as root and insta
Can someone explain why this scam works? (Score:1)
Re: (Score:2, Informative)
Scammers sometimes use "mules", people who are in desperate need of a job and agree to handle payments to "a foreign business that needs a representative in the country". They receive the money and then use something like Western Union to funnel the money to the "business"/scammers in an untraceable way. Money laundering isn't just for drug cartels anymore. If you take a stroll through your spam folder, you'll probably find a few "job offers" like that. Needless to say, this is very illegal and nobody shoul
Re: (Score:1)
Misleading (Score:1)
Totally blown out of proportion (Score:3)
The submitter clearly didn't read the damn article.
All does does is force sites to display an ad for a trojan. It does NOT "break AV barriers" nor do absolutely anything to users who aren't stupid enough to actually install the software.
It's still a problem, because yes, a good number of idiots will fall for it, but fake security software scams have been around pretty much since there's been banner advertising on the net.
As for why this is hitting 4 million sites, I blame a lot of beginner tutorials, that are quick to teach people the basics of web development, but gloss over security or don't mention it at all. SQL injection is stupidly easy. Either
A:
-Call a function to escape all characters that could force the server to run entered code. In the extremely unlikely event that you're using a language that doesn't have a built-in function for this, it's not at all difficult to write your own (or grab someone else's).
or
B:
-Make use of prepared statements, and call those instead of feeding SQL directly to the server.
Either works. Doing neither is simply asking for it.
Re: (Score:2)
Err, "preventing SQL injection is stupidly easy", rather than "SQL injection is stupidly easy."
Re: (Score:2)
WinHDD and Defender Scareware (Score:1)
The 2nd scareware camouflages itself by taking the Windows Defender name. It claims that your computer is infected with a worm. It can be extremely difficult to remove as it intercepts
What ever you do don't mention Windows (Score:2)
What ever you do, don't mention Windows, but do mention Apple even though it isn't affected:
"fast-spreading SQL injection attack .. scareware attack .. malicious file then sells a software .. bogus scareware [ is there any other kind ?] .. Apple iTunes were also infected" ...
Silly Isp's (Score:1)
First, that's to another poster out there that told me the destination site.
Solution to those that run firewalls or ISP's
I happen to use open dns for all the companies and friends I help out needs
I just logged in and blocked the web site and the IP address.
saves me future problems and prevents idiot's from causing long term harm.
thanks everyone.
Block executables at the doorstep (Score:2)
Since the problem is keeping people from downloading crap like this and running it, the solution is pretty easy -- block executable files with a web proxy like Squid. It's really trivial to write a few ACL's in Squid that forbid the download of .exe, .bat, .com, .msi, etc. files. Obviously you need to exempt sites like Windows Update from this filter, and you might need to permit a couple of senior admins to download executables as well. Otherwise, there's just no reason in most organizations to let ordi