CyberInsecure.com

Archive for the ‘SQL Injections’ Category

A security expert has demonstrated that Google’s Gmail service suffers from security flaws that make it trivial for attackers to create authentic-looking spoof pages that steal users’ login credentials. Google Calendar and other sensitive Google services are susceptible to similar tampering.

A proof-of-concept (PoC) attack, published by Adrian Pastor of the GNUCitizen ethical hacking collective, exploits a weakness in the google.com domain that allows him to inject third-party content into Google pages. The result is this page, which allowed him to display a fraudulent Gmail login page that displayed mail.google.com in the browser’s address bar.

The attack is another cautionary reminder to designers of websites and software of the importance of fixing vulnerabilities even when they may at first appear inconsequential.

Another weakness was discovered by security researcher Aviv Raff and reported to Google’s security department in April. Raff had noticed a domain-wide design flaw in google.com that allowed maps, calendars, and other applications to be accessed over multiple google.com subdomains. The URL here, which allows Google News to be accessed via the Google Maps subdomain, shows this flaw in action. Other vulnerable Google services include Mail, Images, History, Search, and Apps.

This cross-site scripting (XSS) issue in Google Maps can be exploited to hijack Google, GMail, or Google Apps accounts by bypassing the browser’s Same Origin Policy. In other words, combined with another seemingly inconsequential flaw, it can be enough to steal a Google user’s login credentials and that’s exactly what Pastor did in fashioning his attack. He coupled the web-app sharing flaw with a frame injection vulnerability in Google Images. The result is a spoof page that looks sufficiently authentic to trick a large number of users into giving an attacker their Google account credentials. Closing the cross-domain weakness may not have made Pastor’s attack impossible, but it would probably make it much less powerful or more obvious.

So far Google’s security team was among the more proactive in stamping out bugs that could put their users at risk but in this case Raaf’s report is six months old. Due to recent discoveries and Adrian’s PoC, flaws most likely will be fixed in short order.

According to Ian Amit, director of security research at Aladdin Knowledge Systems, cybercriminals have used the latest version of Neosploit to booby-trap an estimated 80,000 legitimate sites with malicious code. Victims of the attack include government, Fortune 500, and a weapons manufacturing firm. Victims of the attack also included the US Postal Service, which has since cleaned up its act.

Amit uncovered the assault while researching the newly-released Neosploit 3.1 hacker toolkit. During his research, he discovered login credentials for more than 200,000 servers on a server used by cybercrooks. These credentials included BBC login details fortunately unconnected to the corporation’s news or content sites.

Analysis by Amit and his team at Aladdin suggest that at least three gangs were involved in collecting the list and that 80,000 of these sites had been loaded with malicious code by hackers as part of attempt to infect visiting surfers through drive-by download attacks. Organizations in 86 countries are said to be affected. Amit identified the affected organizations after examining server logs.

“Out of the 200,000 credentials, nearly 107,000 were validated by the criminal server, and of which, almost 82,000 were used to modify Web related content in order to attack the users of the associated sites,” a statement by Aladdin explains.

After closer investigation of the data gathered during the research, it came to attention that not only the criminals were able to get their hands on the government’s BBC site, ftp.bbc.co.uk. If not for the sheer luck that the credentials were not associated with any online material, this incident could have ended up infecting the BBC’s website visitors.

Additionally, reputable universities such as the University of Bradford, a travel agency (easytravelgroup.co.uk), and of course a lot of internet providers and hosting companies were affected. Aladdin is working with CERT and law enforcement agencies worldwide to inform affected organizations about the compromise to their websites.

Incidents where legitimate websites are compromised with malicious code using tactics such as SQL injection attacks have reached epidemic proportions over recent months. The compromises unearthed by Aladdin join a growing list of assaults and victims. Previous targets have included the government of the City and County of San Francisco, Microsoft acquisition target atmdt.com, BMW in Mexico, Hackney Council, and BusinessWeek.com. Tools such as the The Asprox attack toolkit have featured as part and parcel of these previous attacks.

The website for the Texas National Guard remained unreachable on Friday, two days after security researchers said it had been hacked by miscreants who were using it to install malware on visitors PCs. Some pages on the website were probably SQL injected.

On Wednesday, Roger Thompson, chief research officer of anti-virus provider AVG, reported that selected pages on the site were attempting to install a rootkit on machines that were not fully patched. The ruse starts by silently redirecting visitors to a site called add-block-plus.net, which in turn bounces visitors to several other sites.

The attack comes as the Texas National Guard responds to Hurricane Ike, which earlier this week ravaged the gulf coast of Texas. Someone answering the guard’s public affairs line said the person responsible for the website was busy with relief efforts.

Not only Texas has been hammered so hard by the hurricane, the guys that are probably helping out the most have been hacked in return. Now Texas National Guard needs to find how the Bad Guys got in, and then fix the flaw, which will most likely pop on other gov related websites. According to Sophos researchers, the Texas National Guard is only one of many sites to be hit in the attack. The malware residing on the site is detected as Mal/ObfJS-A.

Malicious hackers have broken into several sections of BusinessWeek.com and as a result the content has been infected by Mal/Badsrc-C via SQL injection. The infected pages are related to to jobs and recruitment.

Currently hundreds of pages on BusinessWeek.com are being rigged with malicious JavaScript pointing to third-party servers. Visitors to the site execute the script, which attempts to launch drive-by malware downloads. Some malicious pages are successfully bypassing Firefox 3 blacklist-based filter.

According to data from the Google Safe Browsing API, BusinessWeek.com has been flagged as malicious for a while:

Of the 2157 pages we tested on the site over the past 90 days, 214 page(s) resulted in malicious software being downloaded and installed without user consent. The last time Google visited this site was on 09/15/2008, and the last time suspicious content was found on this site was on 09/11/2008.

Malicious software includes 721 scripting exploit(s), 4 trojan(s), 3 exploit(s). Successful infection resulted in an average of 2 new processes on the target machine.

Malicious software is hosted on 90 domain(s), including adbtch.com, advabnr.com, bnsdrv.com.

11 domain(s) appear to be functioning as intermediaries for distributing malware to visitors of this site, including advabnr.com, bnsdrv.com, cv2e.ru.

BusinessWeek.com joins high-profile targets such as Bank of India, China.com, and USA Today which were recently hit by similar SQL injections. According to expert estimates, at least 70 percent of all Web-based malware is now being hosted on legitimate Web sites.

As usual, we advise users to use Firefox, and Firefox users we advise to install NoScript addon which protects from JavaScript-injected infected websites (and from many other malicious elements).

Conflict between Georgia and Russia on the ground has been accompanied by the relaunch of cyber-attacks against Georgian government websites. The Georgian presidential (www.president.gov.ge) and other government websites (such as www.parliament.ge) were left inaccessible by assaults over the weekend, in a repeat of attacks in late July before tensions over the breakaway region of South Ossetia spilled over into armed conflict.

After a week of discussions on Russian Internet forums, a coordinated cyber attack has been launched against Georgia’s Internet infrastructure. The attacks have already managed to compromise several government web sites, with continuing DDoS attacks against numerous other Georgian government sites, forcing the government to switch to hosting locations in U.S: Georgia’s Ministry of Foreign Affairs moved to a Blogspot account.

The DDoS attack appears to be using a Russian malware variant from the Pinch family and a command and control server based in Turkey. Nationalist articles in Russian language papers are apparently inspiring Russia’s digital underground to get involved in assaults on Georgia’s web-facing systems.

Unconfirmed reports claim the notorious RBN (Russian Business Network) are behind the attacks and that Georgian internet servers were owned by foreign attackers on Thursday - the day before Russian tanks rolled into South Ossetia. The peak of DDoS attack and the actual defacements started taking place as of Friday. Several Georgian state computer servers have been under external control since shortly before Russia’s armed intervention into the state commenced on Friday, leaving its online presence in disarray. While the official website of Mikheil Saakashvili, the Georgian President, has become available again, the central government site, as well as the homepages for the Ministry of Foreign Affairs and Ministry of Defence, remain down. Some commercial websites have also been hijacked.

The Georgian Government said that the disruption was caused by attacks carried out by Russia as part of the ongoing conflict between the two states over the Georgian province of South Ossetia. In a statement released via a replacement website built on Google’s blog-hosting service, the Georgian Ministry of Foreign Affairs said that a cyber warfare campaign by Russia is seriously disrupting many Georgian websites, including that of the Ministry of Foreign Affairs.

The DDoS attacks are so sustained that Georgian President’s web site has recently moved to Atlanta. The original servers located in the country of Georgia were “flooded and blocked by Russians” over the weekend, Nino Doijashvili, chief executive of Atlanta-based hosting company Tulip Systems Inc., said Monday. The Georgian-born Doijashvili happened to be on vacation in Georgia when fighting broke out on Friday. She cold-called the government to offer her help and transferred president.gov.ge and rustavi2.com, the Web site of a prominent Georgian TV station, to her company’s servers Saturday.

More defacements of news sites and popular Georgian portals started taking place as well. Two news websites run by breakaway South Ossetia were hacked on Tuesday morning, officials from the secessionist authorities said. The front page of the website of the news agency, OSinform - osinform.ru - which is run by the breakaway region’s state radio and television station IR - retained the agency’s header and logo, but otherwise the entire page was featuring Alania TV’s website content, including its news and images. Alania TV is supported by the Georgian government, and targets audiences in the breakaway region. Another website of the breakaway region’s radio and television station, osradio.ru, was also hacked. Alania TV has denied any involvement, saying it was itself surprised to see its content on the rival news agency’s website.

Shortly after Civil.ge ran the story, it came under DDoS attack, and just like Georgia’s Ministry of Foreign Affairs it switched to a Blogger account in case the site remained unavailable. Moreover, the Shadowserver posted more details on the command and control servers used in the DDoS attacks:

With the recent events in Georgia, we are now seeing new attacks against .ge sites. www.parliament.ge & president.gov.ge are currently being hit with http floods. In this case, the C&C server involved is at IP address 79.135.167.22 which is located in Turkey. We are also observing this C&C as directing attacks against www.skandaly .ru. Traffic from your network to this IP or domain name of googlecomaolcomyahoocomaboutcom .net may indicate compromise and participation in these attacks.

Interests in cyber attacks as an adjunct to real-world conflict has increased since the denial of service attacks took out the internet infrastructure of Estonia in April last year. The attacks coincided with a dispute of the relocation of WWII-era monuments and affected Estonian parliament, bank, newspaper and government sites.

The assaults were blamed on Russian nationalists. Estonian Foreign Minister Urmas Paet suggested that the Kremlin may have had a hand in the attacks but no hard evidence has emerged to substantiate this accusation. Only one person, a locally-resident ethnic Russian, was convicted over the attacks.

A new round of SQL injection attacks (most likely by Asprox) has infected millions of web pages belonging to businesses and government agencies, including those that belong to the National Institutes of Health and Education Department in the US and the UK Trade & Investment. It seems that a lot of domains involved are still (or again) active, typically using fast flux. The script that is being injected tends to be ngg.js, fgg.js, b.js or js.js. This links to an IP address that is still active.

Simple Google search shows at least 1,470,000 infected pages, some from US and UK government websites that have been hit by the attack. The attack is rather popular and not hard to perform, something that is worrying to know about government-run websites. About 591,000 or so are infected with b.js which seems to point to inactive domains so these are unlikely to do damage. The rest is a mixture of active and inactive links.

A quick breakdown by SANS shows the numbers of infected sites:

.gov - 238
.gov.au - 927
.gov.uk - 2,930
.gov.cn - 34,000
.gov.za - 424
.gov.br - 263
.com - 474,000
.org - 79,900
.com,au - 19,500
.co.uk - 19,300
.ca - 13,100

The high number of infected sites points to a couple of issues. First, sites are compromised and nobody notices, and second, sites that are infected are not cleaned up. To check your own website, do the following Google search replacing domain.com with your own website domain. If this search returns results, you have to clean your website, since it infects it`s visitors:

site:domain.com “script src=http://*/”"ngg.js”|”js.js”|”b.js”

SQL injections take advantage of web developers who write applications that accept user-supplied data without inspecting it for malicious characters. The input is usually entered into search boxes or other fields that interact with the site’s SQL database. Commands in the entered data instruct the website to add links that redirect visitors to websites under the control of attackers.

According to Zone-h.org, the official Malaysian Kaspersky Antivirus website has been hacked yesterday by a Turkish cracker. Along with it, the same cracker hacked the official Kaspersky online shop and its several other subdomains. The attacker reported “patriotism” as the reason behind the attack. It seems that SQL injection was the technical way the intrusion was performed.

Both websites has been home page defaced as well as several other secondary pages. The incident, though appearing a simple website defacement, might carry along big risks for end-users because from both the websites, evaluation copies of the Kaspersky Antivirus are distributed to the public. In theory, the attacker could have uploaded trojan-infected versions of the antivirus, infecting in this way the unaware users attempting a download from a trusted Kaspersky’s file repository.

According to Zone-h’s archive, since 2000 there have been 36 web site defacements of international Kaspersky sites, with Kaspersky’s French site getting hacked numerous times during the last few years. There was no malicious software served in those accidents but it seems like an ongoing trend related to web site defacements.

There’s no indication of a malware attack at the site and it seems that users are not at risk in this case. Nevertheless, the attack should be taken very seriously since it could result in a situation where a security vendor’s site is infecting its visitors with malware. Kaspersky.com.my remains offline, presumably in an attempt to audit the site for web application vulnerabilities before putting it back online.

More than two weeks ago Microsoft released a Security Bulletin outlining a vulnerability in the Access Snapshot Viewer ActiveX control. Microsoft began investigating active, targeted attacks leveraging this potential vulnerability. Recently, Symantec honeypots began detecting the vulnerability in the Access Snapshot Viewer ActiveX control exploited in a Neosploit wrapper. The Neosploit toolkit is an advanced exploit framework to compromise web site visitors.

The ActiveX control for the Snapshot Viewer for Microsoft Access enables you to view an Access report snapshot without having the standard or run-time versions of Microsoft Office Access. The vulnerability only affects the ActiveX control for the Snapshot Viewer for Microsoft Office Access 2000, Microsoft Office Access 2002, and Microsoft Office Access 2003.

The ActiveX control is shipped with all supported versions of Microsoft Office Access except for Microsoft Office Access 2007. The ActiveX control is also shipped with the standalone Snapshot Viewer.

An attacker could exploit the vulnerability by constructing a specially crafted Web page. When a user views the Web page, the vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could gain the same user rights as the logged-on user.

This vulnerability was recently added into a new version of Neosploit. The attack consists of an encrypted block that is similar to some of the Mpack variants. This primary encoder serves the Access Snapshot exploit. Once this exploit has been attempted, the user is presented with a malicious iframe, which redirects the user to a copy of Neosploit. This adds an Access Snapshot exploit to the Neosploit repertoire, albeit in an unusual way. According to Symantec, this method of adding an exploit to Neosploit was chosen because the author does not control the source of Neosploit.

As is the case with most of these ActiveX attacks, they are being served by traditional Web sites that have themselves fallen victim to automated SQL injection attacks. Among those sites there are top-visited government, commercial, and hobby sites. The sites fall victim to SQL injection attacks and subsequently begin serving exploits to each of their visitors.

It is recommended that all Internet Explorer users, including those who do not have the Access Snapshot viewer installed, update their IPS signatures and set the kill bits mentioned in this Microsoft Security Bulletin. Switching from Internet Explorer to Firefox or Opera would also help you avoid this vulnerability (and probably many others).

During the first two weeks of July 2008, Finjan detected over 1,000 unique Website domains that were compromised by Asprox toolkit attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, this might be just the tip of the iceberg for the scope and impact of this attack.

Among the compromised websites Finjan found websites of respectable organizations, governmental institutes, healthcare organizations and other high-ranked websites. The malicious code is still being served by most of the websites and the toolkit is still in use.

Among the many websites that were compromised, there are various advertisement networks that were also used to direct users to compromised advertisements. One of the advertisement networks was atdmt.com, which Microsoft plans to acquire as part of Microsoft’s Advertiser and Publisher Solutions Group.

Among compromised legitimate websites (on some of them the malicious code no longer exists) there are government websites:

marysville.ca.us, the official website of the City of Marysville, registered by Marysville Police Department.

www.censocultural.ba.gov.br, the official website of the cultural data bank of the Department of Culture and Tourism of the State of Bahia, Brazil.

www.sfgov.org, official website of the government of the City and County of San Francisco.

Compromised healthcare websites:

nhs.uk, the official website of the National Health Service in the UK.

samedical.org, the official website of the South African Medical Association.

Other compromised legitimate websites:

Cocacolabrazil.com

Snapple.com, one of the largest soft drink makers in the US

uci.edu, official website of the University of California

The Baltimore Times Website

BMW official site in Mexico

Compromised sites have a piece of JavaScript (JS) embedded in them, which in turn points to another JS file on a seperate domain. These domains are part of a fast-flux network hosted on the botnet itself, a technique widely used by another well-known Storm botnet.

The attack toolkit is designed to inject a <script> tag into legitimate [.asp] webpages. Each of the 160 different domains hosting .js points to the location of the malicious file which was unique to each and every one of them. The malicious script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation: MDAC Vulnerability, QuickTime rtsp Vulnerability, AOL SuperBuddy ActiveX Control Code Execution Vulnerability. Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine.

Sony’s USA PlayStation website, a website with a very large number of daily visitors according to Alexa, had been the victim of an SQL injection attack. Sony PlayStation’s site is another high trafficked web site that fall victim into the continuing waves of massive botnets (ASProx botnet for example) SQL injections.

The purpose of this wave of attacks seems to be to dupe users into installing the same fake anti-virus software SophosLabs discovered on .MOBI websites earlier this week. Numerous malicious websites making use of the unusual .MOBI top level domain attempted to load a script ‘AD.JS’ located in root of each site. This in turn attempted to load another website - a fake anti-virus install site. The site pretends to do an online virus scan:

A bogus warning message then displayed, saying that one or more of the following have been detected:

Trojan.Bakloma.A
Win32.Gattman.A
Trojan.Zapchas.F
JS.Blackworm.A
Trojan.Tibs.E
Win32.Netsky.P@mm
Trojan.Winsys
Trackware.Adctech2006
Downloader.TrafficSector
Adware.Roings

If you have seen/installed this software on your PC, consider running a trusted anti-virus as soon as possible, since your machine is infected.

After this, the user is encouraged to download and run an executable (installer.exe). This malware is detected as Mal/Packer by Sophos. If the installer was run, it installs more malicious files (Troj/FakeAV-AA) on the victim machine.

Visiting the affected PlayStation site runs a script that pretends to perform the same online security scan of your computer, and presents a bogus warning message you can see on the image above. Users frightened by the fake ‘warnings’ might rush to spend money on useless software.

The fact that the Sony PlayStation site has been attacked in this way suggests that someone with malicious intent could place other harmful malware there and infect a very high number of Sony PlayStation website visitors.

Sony PlayStation’s site hasnt been targeted by hackers, it’s been targeted automatically in between the rest of thousands of other pages that were SQL injected with a malicious coldwop.com domain (yet another SQL injection attack by Chinese hackers). There are no reports of hacked Sony PlayStation’s database or customers private details, the flaw in Sony’s website only allowed injection of redirection code that loads a script from malicious site.