Security Adviser | Roger A. Grimes » Thousands of Web sites under attack

March 21, 2008 | Comments: (0)

Thousands of Web sites under attack

TAGS: Internet Security

Organized criminal groups are hacking Web sites by the tens of thousands to steal money, identities, and passwords.

On March 12, McAfee's AVERT labs reported 10,000 Web pages using Active Server Pages (ASP) had been infected through SQL injection. A few days later, Microsoft employee Neil Carpenter detected 14,000 maliciously-modified Web pages. After the initial SQL injection, the automated attack injected a malicious Javascript or Iframe code to redirect visitors to criminal-controlled Web sites. The malicious Web sites then attempted to invisibly exploit end-users using multiple, previously patched vulnerabilities, or if no vulnerabilities were found, attempted to socially engineer the visitor into running additional software.

Following on the heels of this massive scale attack was another automated attack that made the first one seem small. McAfee reported more than 200,000 Web pages infected by an automated attack against phpBB software. phpBB is an open source Internet forum software product written in php. Users visiting an infected Web site were socially engineered into running additional (malicious) software programs.

Web site hacking is very popular. Zone-h, which tracks web site defacements, reported almost 500,000 hacked Web sites in 2007. And this is obviously a serious under-count, as most of Zone-h's data is self-reported by the hackers who hacked the Web sites. The professional criminal gangs involved in the majority of the Web hacks today don't report their activities to Zone-h. Even more interesting is Zone-h's track of the mechanism the hacker used to attack the Web site. By far the most popular method was simple password sniffing/cracking/guessing, but they track attacks against the DNS servers and routers that protect the Web servers.

One of the biggest changes over the past year, as reported by Google and this column, is the inclusion of malicious advertisements on legitimate Web sites. Many legitimate sites end up unintentionally carrying advertisements from malware providers.

Perhaps the most interesting new Web hack trend is where inputted search phrases end up causing malicious cross-site scripting or poison normal search results. In the former attack, malicious hackers input dozens to hundreds of search strings into the search feature of a Web site that are in reality cross-site scripting attacks. In the latter hack method, the attacker poisons a legitimate search Web site by inputting hundreds to thousands of search strings to bring back specific malicious Web sites. An innocent user searching on the same key terms is inadvertently redirected to the malicious Web sites that have been artificially raised up in the search engine's rankings (based on the previous poisoned searches). Trying to prevent this latter type of attack is a new challenge for Internet search engines.

Web site penetration testers will tell you that most sites of even moderate complexity are hackable. The best Web site hackers say that no site is secure. Although that statement is certainly hyperbole, it isn't grossly inaccurate. There are probably more hackable Web sites than completely secure Web sites in the world.

If you're an administrator trying to protect yourself or end-users, it's important to understand and communicate that trusted Web sites can no longer be considered non-malicious. Dozens of recent research papers have reported how millions of legitimate Web sites are being infected by malicious criminal gangs.

Not that infected legitimate Web sites are anything new. I remember one of the world's most popular Web sites trying to infect my computer (unsuccessfully) with the Nimda worm in September 2001. What has changed is that infected sites are no longer an acute problem or something to be aware of only during significant malware outbreaks (Santy worm, Code Red worm, and the like). It's now systematic and a minority part of the Web all the time, 24/7.

From an end-user perspective it's important to be aware of this fact, so that no Web site is fully trusted. Next, make sure your operating system and applications are fully patched. My favorite online patch scanner is Secunia's Software Inspector. Being fully patched significantly decreases the risk of malicious compromise. Third, if unexpectedly prompted to install new software when visiting a Web site, ensure that you really are installing legitimate, needed software. If the Web site states you need a new media codec, media viewer, or Microsoft Windows patch (the most common malicious ploys), be very skeptical.

If you manage one or more Web sites, you've got to protect yourself. First, hack yourself before a malicious hacker does. If your site contains SQL, download and use any of the number of free SQL injection scanners against your site(s). Make sure the Web site is not susceptible to cross-site scripting. Use router access control lists, firewalls, and other security controls. Make sure your Web server software and its operating system are fully patched, and that administrative passwords are sufficiently strong. Refer to the OWASP Top 10 list for the most popular Web site vulnerabilities.

Finally, make sure your Web site developers follow the Security Development Lifecycle when programming. Be careful when reusing free Web gadgets and code snippets. These are often insecure, with many intentionally coded by malware authors hoping for indiscriminate use. Securing Web server software is fairly easy. Securing a Web server application is fairly hard.

Educating technical staff and users is also hard. It's important to update your company's secure computing educational material to include the growing threat of malicious modified legitimate Web sites. It's a new way of thinking, and most end-users haven't made the mental update, yet. You can help them.

Posted by Roger Grimes on March 21, 2008 03:00 AM

RATE THIS ARTICLE: