Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet IT

Viral Scareware Infects Four Million Websites 71

oxide7 writes "A fast-spreading SQL injection attack that illegally peddles a bogus scareware has been breaking anti-virus barriers and compromising millions of websites, besides defrauding unsuspecting victims. The news of this attack was brought out by Websense Security Labs in its blog last week. Websense said its Threatseeker Network identified a new malicious mass-injection campaign which it named LizaMoon."
This discussion has been archived. No new comments can be posted.

Viral Scareware Infects Four Million Websites

Comments Filter:
  • by jd ( 1658 )

    Didn't we already see this article?

    Anyways, as said before, there's plenty of guides (including by the NSA) on how to not suffer cross-scripting attacks. That anyone still suffers from them is not through a lack of resources.

    • Re:Stupid (Score:4, Insightful)

      by clang_jangle ( 975789 ) on Saturday April 02, 2011 @04:06PM (#35695652) Journal

      ...breaking anti-virus barriers...

      Only people who've been thoroughly windows-indoctrinated could use terminology like that -- it actually means nothing at all, except "we don't know what we're doing here".

      • by Anonymous Coward

        Not to mention it is factually inaccurate in this case, the fake AV that is pushed here is not installed via an exploit, it is installed by the user after being redirected to a site showing false warnings. Moreso, 24 out of 42 of the scanners on virustotal detect it at the moment.

        • Moreso, 24 out of 42 of the scanners on virustotal detect it at the moment.

          Maybe the fake AV itself, but yesterday I downloaded (using wget, of course) the script file that redirects you to the malware site, and sent it to virustotal. Zero detections.

      • by jd ( 1658 )

        I'd interpret it as "our firewall AV isn't stopping it", which is fine because AV software isn't a generic solution but one that detects specific, well-defined viruses. And when you shove it onto a firewall, it can't do much checking if you don't want horrible packet loss.

        What it does mean, though, is that whoever wrote the article doesn't use NIDS or HIDS (the former will detect cross-scripting attacks, the latter will detect changes to files that aren't supposed to change) but relies entirely on anti-viru

        • Nah -- it's fake nomenclature designed to dazzle non or wannabe geeks into thinking "it isn't Norton's (or whomever's) fault" It's the computer equivalent of turn signal fluid. :)
          • Re:Stupid (Score:5, Funny)

            by clang_jangle ( 975789 ) on Saturday April 02, 2011 @04:22PM (#35695712) Journal
            "This latest viruses attack your computer's humours, exchanging it's good aire for foul and musty spirits, thus disrupting the subtle fires necessary to process your data. Most inauspicious. That's why you need Semantec's Miracle Oil, the Ninth Wonder of the Worlde!"
            • +1 hilarious
            • by jd ( 1658 )

              Hey, don't knock it! In a hundred years time, that could be the best-selling soft drink for electronics!

            • Right now I'm still looking for some replacement smoke for my CPU.

              • by tsm_sf ( 545316 )
                You need a Taoist magician to capture it properly. It can be interesting to watch them perform their rituals, but the economy of scale will always mean that it's cheaper to just buy a new CPU from asia.

                People often complain that American children show a lack of interest in engineering, but you rarely hear about our serious metaphysical deficit.
          • Everything is Symantecs fault. Everything. Its some kind of computing rule or something.

        • security boxes can scan at very high (near wire) rates, these days.

          DPI is all the rage and fast packet i/o with filtering and even on the fly modification is do-able.

          sad to say.

      • Its like "counterhacking the proxy" or "wardialing the WEP key". Just because you dont know what it means doesnt mean the rest of us arent on board.

    • Re:Stupid (Score:5, Informative)

      by Haedrian ( 1676506 ) on Saturday April 02, 2011 @04:09PM (#35695662)

      Anyways, as said before, there's plenty of guides (including by the NSA) on how to not suffer cross-scripting attacks. That anyone still suffers from them is not through a lack of resources.

      SQL injections and XSS attacks aren't necessarily related.

      XSS attacks require you to push the parameters in the URL itself. If an attacker modifies the SQL, they don't need to change anything, you just visit the site, and they'd change it 'server side' instead. So its much more dangerous, and there's no real way for the user to avoid it - except of course turning off scripts I would assume. And being careful about links.

      • by seibai ( 1805884 )

        XSS attacks require you to push the parameters in the URL itself.

        That's not actually true. Reflected XSS attacks are sometimes exploited through a URL string element (post data can also work). Persisted XSS attacks occur when user provided data is stored on the server and then later rendered in HTML without being properly encoded first.

        It's entirely possible (and not all that uncommon) for an attack to rely on both an XSS issue and a SQL injection issue. Say there's some popular CMS that has a SQL injection attack that can be exploited through a form post if the user mak

  • more information (Score:2, Interesting)

    by Anonymous Coward

    which sites are vulnerable? are there any more precise information than "outdated CMS and blog systems" ??

    • Let me help you: "fast-spreading" "compromising millions of websites" All vulnerable Web sites are infected by now. If your Web site is out there and not infected, then you're probably okay. If it did get infected, you tried to fix it and it gets reinfected, you haven't fixed it!
    • Re:more information (Score:5, Informative)

      by grcumb ( 781340 ) on Saturday April 02, 2011 @05:28PM (#35696046) Homepage Journal

      which sites are vulnerable? are there any more precise information than "outdated CMS and blog systems" ??

      As others have noted, the original article [websense.com] is much more informative.

      First, only MS SQL Server seems to be affected. This isn't because of a flaw in SQL Server, but because the injection seems only to work on a web app that's designed to run this DBMS in the back end, The article authors note that they don't know which application this is, however. This seems a little surprising, given that they should be able to spot the commonality between all the infected sites.

      Second, to determine whether your server is affected, just check to see whether your site now has an URL like http://domainname/ur.php [domainname]. If it does, you're infected. If you run on Linux and Apache, it looks like you're safe from this particular attack.

      • by butlerm ( 3112 ) on Saturday April 02, 2011 @07:15PM (#35696610)

        First, only MS SQL Server seems to be affected. This isn't because of a flaw in SQL Server

        Strictly speaking, that is true. However, SQL Server supports a multiple statement binding syntax that makes it uniquely vulnerable to these kinds of injections in poorly written programs - i.e. you can start a new SQL statement anywhere simply by injecting a semicolon followed by whatever SQL you like.

        That is why if a SQL injection attack ever affects tens of thousands of sites, it is inevitably a poorly written SQL Server application. If I were Microsoft, I would add an option to turn the traditional syntax off, deprecate it for future use, and require block syntax to process multiple statements. That doesn't eliminate the problem, but it greatly reduces the possible attack surface, and the severity of the attacks that do get through.

        • Bobby Tables' mom [xkcd.com] strikes again?

          • I always thought that if Comic Book Guy was ever given a license to have children, he'd find it amusing to give them an SQL injection attack name like Bobby Tables.

            And to be honest, the mindset behind this new breed of convoluted scam methods to trick customers out of money (such as the one in TFA) often seem to be dreamt up by someone whose grip on reality is based in the world of the Simpsons et al, rather than by dealing with real human beings.
  • I'm getting "please install this update for bank X" for several months now and they usually link to a site that uses Joomla.
    I'm reading about this super SQL injection for several days now, but what I would like to know is what kind of sites are targeted this time. Who should be worried? Who should spend some extra time upgrading or hardening their sites?

  • by Gonoff ( 88518 )

    I have been dealing with the results of this for nearly two weeks. Whilst it is nice to hear the background story to it, I am puzzled why it has made /. the BBC, The Register and a load of other less useful websites. Why is it big news today?

    If anyone has to deal with a PC that has this, the fix is nice and easy.
    Copy everything off the users desktop etc - it does not seem to infect stuff
    Delete the user profile, reboot and let them log in.

    I am sure many people here will feel that the best way not to get

    • Comment removed (Score:5, Insightful)

      by account_deleted ( 4530225 ) on Saturday April 02, 2011 @09:56PM (#35697332)
      Comment removed based on user account deletion
  • I can understand scaring people into buying fake anti-virus software. I've seen it happen on people at work where they assume its something IT installed on their machine. What I can't understand is how the people that peddle it get away with it. I mean... they trick you into buying their product.. which means they have to process money and deal with banks. Couldn't any law enforcement simple track where the money is going, grab the bad guys and just end it?
    • Re: (Score:2, Informative)

      by Anonymous Coward

      Scammers sometimes use "mules", people who are in desperate need of a job and agree to handle payments to "a foreign business that needs a representative in the country". They receive the money and then use something like Western Union to funnel the money to the "business"/scammers in an untraceable way. Money laundering isn't just for drug cartels anymore. If you take a stroll through your spam folder, you'll probably find a few "job offers" like that. Needless to say, this is very illegal and nobody shoul

  • The headline says Four Million Websites, but the truth is (according to Google) is that it's Four Million Webpages, and a good number of those are security-related sites that talk about the vuln, not expose it. Can we possibly look into reporting the facts instead of inflating them?
  • by Trerro ( 711448 ) on Saturday April 02, 2011 @06:45PM (#35696468)

    The submitter clearly didn't read the damn article.

    All does does is force sites to display an ad for a trojan. It does NOT "break AV barriers" nor do absolutely anything to users who aren't stupid enough to actually install the software.

    It's still a problem, because yes, a good number of idiots will fall for it, but fake security software scams have been around pretty much since there's been banner advertising on the net.

    As for why this is hitting 4 million sites, I blame a lot of beginner tutorials, that are quick to teach people the basics of web development, but gloss over security or don't mention it at all. SQL injection is stupidly easy. Either
    A:
    -Call a function to escape all characters that could force the server to run entered code. In the extremely unlikely event that you're using a language that doesn't have a built-in function for this, it's not at all difficult to write your own (or grab someone else's).
    or
    B:
    -Make use of prepared statements, and call those instead of feeding SQL directly to the server.

    Either works. Doing neither is simply asking for it.

    • by Trerro ( 711448 )

      Err, "preventing SQL injection is stupidly easy", rather than "SQL injection is stupidly easy."

      • Well both statements are somewhat true. Apparently SQL injection IS stupidly easy as it keeps happening and as others have said, preventing it is not exactly rocket science
  • I've seen two instances of the scareware. In the first instance, up pops a tool that looks like a genuine Microsoft tool but called WinHDD. It reports that your hard-drive is failing and you are losing data. In order to fix it, you must activate WinHDD. But you have to pay to activate it. Spybot Search and Destroy cleans it.

    The 2nd scareware camouflages itself by taking the Windows Defender name. It claims that your computer is infected with a worm. It can be extremely difficult to remove as it intercepts

  • What ever you do, don't mention Windows, but do mention Apple even though it isn't affected:

    "fast-spreading SQL injection attack .. scareware attack .. malicious file then sells a software .. bogus scareware [ is there any other kind ?] .. Apple iTunes were also infected" ...

  • First, that's to another poster out there that told me the destination site.

    Solution to those that run firewalls or ISP's

    I happen to use open dns for all the companies and friends I help out needs

    I just logged in and blocked the web site and the IP address.

    saves me future problems and prevents idiot's from causing long term harm.

    thanks everyone.

  • Since the problem is keeping people from downloading crap like this and running it, the solution is pretty easy -- block executable files with a web proxy like Squid. It's really trivial to write a few ACL's in Squid that forbid the download of .exe, .bat, .com, .msi, etc. files. Obviously you need to exempt sites like Windows Update from this filter, and you might need to permit a couple of senior admins to download executables as well. Otherwise, there's just no reason in most organizations to let ordi

This is now. Later is later.

Working...