Posted on 04/01/2011 1:52:38 PM PDT by Red Badger
A relatively simple hack has been used to compromise at least 500,000 Web sites, and perhaps as many as 1.5 million, in such a way that visitors are tricked into downloading fake PC security software.
Dubbed Lizamoon, after the Web site where some users are in some cases redirected, the attack was first documented by the security research firm Websense The hack seeks to trick Web users into believing that their computer has been compromised by viruses and prompts them to download fake security software that itself causes further problems. Among the sites serving up the links to the fake software sites are some belonging to Apple and used on its iTunes store, though Apple is said to have cleaned up the affected code on its site.
Websense says that so far it appears that sites using Microsoft SQL Server 2003 and 2005 are at risk, though as yet SQL Server 2008 doesnt appear to be affected. No word yet from Microsoft about any of this, though Ive asked them for a comment.
SQL injection attacks take place when malicious codeessentially commands to a Web server to do things its not supposed to do are inserted into routine queries of a Web sites data base. A basic way to carry out these attacks is to add extra commands into the URL bar of a the browser when visiting a vulnerable Web site. Its not entirely clear exactly how this series of attacks has been carried out.
I talked with Josh Shaul, CTO of Application Security, Inc., a database security vendor that specializes in researching attacks on databases. Its a very new take on a very old type of attack, Shaul said. SQL injection has been the primary way that databases have been attacked for years. Whats different here is that people are putting the code that runs their Web sites in the database itself. And thats whats so troubling. Effectively youve exposed your code to an attacker so they can go modify it.
Attackers found hundreds of thousands of sites that use a single user account to query their databases for all visitors, Shaul said. The databases are clearly configured in an insecure way, he said. Thats what it all comes down to. Why is it that the log-in to use the database has the right to modify the code for the Web site itself? That makes no sense at all.
In this case the attackers took advantage of the weakness to insert a script that creates a pop-up that sends a sites visitors to another site that looks like a legitimate place to download new Microsoft security software. That makes the attack on the Web sites themselves just a means to an endthe end being tricking innocent Web users into clicking on a series of links and paying to download fake security software.
Websense produced a video demonstrating what happens. The short lesson is this: If you see a pop-up that tells you youve got a virus or that your computer is compromised by a bunch of security issues, dont click any of the links in it; its probably not legit.
What’s old fashioned about validating input?
Well said. SQL injection is not difficult if you leave the doors wide open in poorly written code. A simple check is if you are expecting a value of no more than 3 chrs in length, truncate the variable to the length. You can also strip many SQL chrs before sending a value and then reject any request string that contains them.
What browser were you using?
FF
The method of hand-coding a check for each input field certainly works, but it is tedious, prone to error, and adds costs to the project. If there is time and money pressure, it probably won’t be implemented carefully or at all.
That is why it is much better to use a framework or technology where this is automatically supplied.
I’m not disagreeing with you, but hand-coding is NOT tedious, prone to error, and adds costs to the project.
It is very simple to write a (reusable) sub-routine or function that does this on the fly.
oh, I was referring to every returned post after the form has been submitted. Granted, coders should not allow certain values (chr’s) to be entered in a txt field, but this is not where SQL Injection comes from. Typically an injected field can be passed in the url string.
However; it is not to difficult to create a dummy site and send data to the real site. Of course this is easy to check if the data is coming from the host or not. Still this can be worked around using the header string.
Which brings me back to my first point and that is to check, validate and truncate every string that is returned to the host, no matter where from.
The coder should verify everything is legit before the submit button is pressed, but only the ignorant would assume it will always arrive ‘as sent’
This is probably more info than you wanted.
This just happened again to me. I am fairly certain the virus was linked to Sarah Palin pictures from Rolling Thunder. I wasn’t sure the first time, but the second time, the virus made itself apparent right away. I opened a picture of Sarah from a posting from “Crim”. The posting was about pictures of her on the RT tour commenting about a caption that I didn’t see.
Again, I am not 100%, but it seems apparent.
Good luck, and thanks for all you do. Our appreciation can never be overstated.
Brian
Thanks very much for telling me, onona.
I only post photos directly from SARAHPAC or other authorized sources. Once those photos are hosted by outside sources, there’s no telling what has happened to them.
I’m so sorry for the trouble you’ve incurred. I’d be crying.
I consider myself fortunate, as I was on a laptop from work. They were able to fix both viruses quick and easy.
Yeah, if it was my own PC, crying, swearing, and the like.
One of the lucky ones this time.
And how many basic generic principles of Computer Science do you have to violate to allow "data" to be "executable".
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.