RSSLatest SQL injection attack quickly spreads malicious JavaScript
By Scott M. Fulton, III | Published August 26, 2009, 6:27 PM
One of the more bizarre architectural elements of HTML that may still be excused with the phrase, "This behavior is by design," is the ability for a floating text frame using the <IFRAME> element to be rendered effectively invisible (or so miniature as to not be seen), and then to run JavaScript code. It's a trigger for a disaster; and pressing that trigger tens of thousands of times today is a particularly virulent SQL injection attack, the evidence of which can be detected through a simple Google search: Wednesday afternoon, Betanews discovered about 82,800 compromised pages appearing in Google's index just for one of the actual malicious triggers -- probably just a fraction of the actual number of cases. And there are multiple triggers.
The plague was first reported last Friday by security services provider ScanSafe. In an update filed today, its engineers report that as the number of infected sites grows, their geography becomes more pronounced instead of less. It's as if the source of the injection, whatever it is, is targeting Chinese sites.
A similar attack occurred in the spring of last year, once again appearing to target Chinese sites. Once infected, the sites deliver <IFRAME> code to their users that starts the download of executable binary code, and apparently even launches that code. Last May, security researchers discovered a new round of SQL injection attacks, also appearing to target China.
While some security software firms have posited the theory that malicious sources outside China are targeting that country in response to reports that it is supporting suppressions of ethnic-related uprisings, a more viable theory is that the latest wave -- like the May 2008 wave discovered by Armorize Technologies, a security firm with assets in China -- are also based in China as well.
Though the motivation behind this latest attack was not known, the most plausible theory presented for the motive in the May 2008 attack came from Trend Micro: Information that the malicious payload sent back to its host indicated that the host was hunting for data related to gaming, perhaps finding statistics about players' assets holdings in virtual worlds. Armed with that information, a malicious gamer could conceivably manipulate entire virtual economies.
BETACHECK
For more:
"SQL Injection Attacks by Example" by Steve Friedl, a brilliant but straightforward essay demonstrating exactly how a typical SQL injection attack is carried out.
"Using UrlScan" -- Documentation from Microsoft on setting up and running UrlScan 3.0 utility with IIS 7.0.
I told you all that OffByOne was the Best Browser Ever™! Malicious JavaScript? No problem! JavaScript Pop-Ups? No Problem!
All you people with your fancy "extensions" and your "Web 2.0" are all missing out on the Real Internet™....you can only get it with OffByOne.
Use anything else and you *will* be sorry.
No, seriously. I'm not joking this time. Really. I'm not posting this from Firefox. *cough*
Score: 1
|An off-by-one error (OBOE) is a logical error involving the discrete equivalent of a boundary condition. It often occurs in computer programming when an iterative loop iterates one time too many or too few.
Usually this problem arises when a programmer fails to take into account that a sequence starts at zero rather than one (as with array indices in many languages), or makes mistakes such as using "is less than or equal to" where "is less than" should have been used in a comparison.
This can also occur in a mathematical context.
http://en.wikipedia.org/wiki/Off-by-one_error
Who knew...??? ;)
Score: 0
|*laughing*
My...that was a little ADHD...
Randomness FTW!
Score: 0
|Damn, bowlingballreviews.com has been infected with this SQL Injection attack. Now what?
Score: 1
|While your at it, better avoid the following sites:
barbielovesken.com
catlittertips.com
hairyknuckles.com
emptycans.com
betweenyourteeth.com
and
heehawreruns.com
Score: 0
|