July 29, 2008
In This Issue
Tech Talk

SQL Injection and Collective Internet Attacks

Web-based SQL Injection attacks are nothing new; malicious hackers have been utilizing database injection exploits through insecure web pages since 1998 and will continue to use this vector of attack for years to come. Historically, attackers have mainly used these attacks to either bypass web logins, deface web sites or gain access to the back-end database content itself. However since their initial discovery, cybercrime activities have since evolved dramatically. Gone are the days of the stereotypical basement dwelling teenage hacker writing malware in order to get 15 minutes of fame. Attackers are now extremely organized, well funded groups of individuals looking to make thousands of dollars using their exploits and malware by stealing marketable information from victim’s computers. The most efficient way of doing this is by performing what is called a Collective Internet Attack.

Collective Internet Attacks are quickly becoming the next generation of web-based attacks and combine the elements of SQL Injection, Web-based Exploits, Botnet tactics and malware in order for hackers to compromise victim’s computers and steal sensitive marketable information (such as finance or identity related data). The first example of these attacks was unleashed in first half of 2008, when a huge flux of SQL Injection attacks were used to compromise over a quarter of a million web pages across the internet in a matter of days. These attacks found their way through the defenses of a wide range of corporations, such as car dealers, online shopping sites, school / college home pages, software companies, local news sites, and even several government related sites. In addition to compromising the database in each of these attacks, the attackers inserted a malicious HTML link in each of these web sites. These links effectively turn each of these compromised pages into a deadly virtual mine field. Anyone visiting these compromised websites would silently load the malicious link, which in turn attempted to exploit the browser and download malware directly onto the unsuspecting web visitor’s computer. The installed malware will then silently steal the user’s PII (personally identifiable information) and upload it back to the attackers, thus completing the cycle.

So why are these new Collective Internet Attacks so difficult to handle and why are they proving to be harder to protect against than traditional SQL injected attacks? The answer is in the nature and execution of these new attacks:

  • In the past, attackers would have to use social engineering methods, such as sending the victims emails or instant messages with links to their malicious server in order to trick the unsuspecting user. These new attacks do not require this step at all; victims will automatically be silently redirected to the attacker’s server just by going to an already compromised host.

  • Since there is no website ‘spoofing’ involved, many software and security measures that check that validity of user visited websites are going to be useless against these new attacks.

  • Why not block the attacker’s host at the firewall level? This would stop some of these attacks, but the modern day attacker has many ways of combating this as well such as fast-flux networks and implementing ‘randomized round-robins’ of botnet compromised machines as temporary attack servers on the fly.

    So how can web developers and administrators successfully combat these new attacks? By following the steps below, web developers and administrators can prevent their website from being targeted and used in a Collective Internet Attack.

    Do not trust any user-supplied input or outside data that you do not control directly.
  • Input fields through URLs and HTML Forms are the 2 biggest vectors for exploitation. Limit their use as much as possible – lower your attack surface area.
  • Sanitize ALL data from outside sources. Restrict data by their content, do users really need to be able to send non-alphanumeric characters in these fields?
  • Do not make your sanitization routines at the GUI level alone, make sure they are handled in the actual processing code before sent to the database.
  • Utilize server protection tools designed to block SQL injection attempts, but realize that these are not silver-bullets for these types of issues.

    Thorough use of web-security and secure programming throughout the entirety of your public facing web site.
  • Attackers use automated applications and botnet compromised machines that implement search engines to find your website (just like legitimate users). These will then crawl through every link and every input field of your web pages testing them systematically for weaknesses.
  • No sense in implementing security on some areas of your site, while others are left exposed.
  • Use a global sanitization function that all input runs through, this will help make changes and updates easier to manage.
  • Review your logs regularly, attackers will typically generate a lot of traffic requests and garbage data. Logs can provide an inside view of the tactics attackers are using and help develop defenses to mitigate against them.

    Test your website periodically with web tools that help identify and mitigate web vulnerabilities. If this cannot be done on a production site, make a mirrored back up and test against the mirrored site.
  • Use more than one vulnerability assessment software package to check your website. A second option could expose threats the first one missed.
  • Implement protection software on the host and retest, make sure your IPS or firewall software is functioning properly.
  • Hire outside consultants to help verify the effectiveness of your security measures and secure coding practices.

    Make sure your software and operating system is updated
  • Every day attackers find dozens of web-based vulnerabilities that they use to compromise websites. Ensure your servers’ operating system, database software, web software AND all of its modules and sub-applications are the latest version. Think of your website and all of its modules as a chain, it only needs one weak link to be broken.

    For those of you who are visual learners here is a graphical representation of how Collective Internet Attacks are deployed and used to compromise web hosts and their website visitors.



    As Collective Internet Attacks become increasingly advanced and attackers compromise more and more systems, web site owners have been forced to analyze their current web pages and determine if they are susceptible to these attacks. How prepared is your web development team to combat these threats? Maybe now is the time to review your current security policies and begin taking proactive steps to ensure that your web pages are protected from these attacks. Securing your site against these attacks will not only help protect your business, but it will also help protect every (potential) customer that visits it.

    Source: Greg Linares, Research Engineer

    • News & Articles
    The following articles represent the opinions of their respective authors. They do not necessarily represent the opinions of eEye Digital Security.

    2008 CRN Emerging Vendors: Creating A Ruckus
    "Upstart vendors make names for themselves in the channel" Full Article

    How Secure Is Your Company?
    "To protect your business, think like a thief. Proactive network security measures hardly ever get the attention and commitment they deserve, yet in almost every case an ounce of prevention is worth a pound—or more—of cure." Full Article

    Virus Bulletin Product Review: eEye Digital Security Blink Professional 4.0
    "Blink Professional 4.0 Product Review" Full Article

    View All Media Coverage
    "eEye and its security solutions have been covered by numerous press and media associations." Full Article

    Reader Q&A

    Q: Is the DNS flaw as serious as everyone is claiming?

    A: Yes. Although the fix for the vulnerability may seem quite simple, the fact that many DNS servers are out of the control of users and administrators (i.e. ISPs), the threat is very serious. eEye suggests that users contact their ISPs if they notice that their ISPs are failing one of the many online DNS source port randomization tests.

    Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

    Announcements

    eEye To Offer 25% Discount Channel Conversion Incentive to Entice Symantec Partners
    eEye to offer a 25% discount to former Symantec resellers who join the eEye Partner Program or change a Symantec renewal opportunity into an eEye purchase Full Article

    eEye Rises to “Positive” in Key Analyst Ranking by Gartner
    eEye Digital Security Receives "Positive" Ranking in Gartner Vulnerability Assessment MarketScope Report Full Article

    eEye Digital Security Named a CRN Emerging Tech Vendor
    eEye Digital Security is named by CRN as an Emerging Technology Vendor Full Article

    View All Articles and Announcements
    eEye and its security solutions set have introduced a number of newsworthy security advisories and security technology deliveries that have been covered by the press. Select any of the links below to view more details regarding our most recent articles and announcements. Full Article

    Etcetera

    Stay Up-to-Date with eEye Research
    eEye Research has seen some staggering results from the recent influx in Blink Personal/Neighborhood Watch users. This data is offering eEye Research a distinct insight into host-based vulnerability and attack trends to offer enhanced protection into Blink. Keep an eye on the eEye Research Portal http://research.eeye.com/ for future projects that have arisen because of the mass use of Blink Personal including Neighborhood Watch reports and attack trends. More

    Vulnerability Expert Forums
    The monthly Vulnerability Expert Forum focuses on recently announced critical vulnerabilities - from Microsoft and other software vendors. eEye's Internet security experts will describe the actions necessary to protect your systems from the threats that target these vulnerabilities. More

    HOW TO SUBSCRIBE
    To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

    FEEDBACK
    The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

    DISCLAIMER
    The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

    NOTICE
    Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.