how-to block ads
|
Cabal
Premium
join:2007-01-21
Boston, MA
| New MS SQL attack infects thousands of servers
»www.trustedsource.org/blog/142/N···Machines
quote:
The SQL statement itself scans through all of the tables in the database, inserting the attack author’s own HTML into the contents of each page. This ultimately causes the web server’s visitors to, depending on their client, be sent one of many different forms of malware from the referred pages. Similar to phishing, this attack takes advantage of the website visitor’s trust in the site they are visiting. Instead of phishing for information, however, malware is sent to the client, which the client has a higher likelihood of accepting being from a trusted site.
»www.scmagazineuk.com/Thousands-o···/115338/
quote:
“As of today, this attack is still working and ongoing. We are seeing evidence of successful exploitation attempts across hundreds of web pages. These web pages are associated with web sites from around the world and supplying various content including government sites, sales sites, real estate sites, and financial information sites among others,” the company added.
--
Interested in open source engine management for your Subaru? | |
mysec
Premium
join:2005-11-29
| These headlines certainly are alarmist! One from a few months ago noted 10,000 sites affected.
Not that we shouldn't be concerned, but SQL is essentially a server problem. We clients can fall victim, of course, but it's just another method of triggering an attack.
The exploits usually fall into two categories,
1) downloading malware
2) setting up a phishing attempt.
Nothing new here.
The w.js file referenced in the first article in your post has been around. Here is one instance:
jjmaobuduo.3322.org/csrss/w.js
»s3cwatch.wordpress.com/2008/08/0···srsswjs/
These files serve up a number of exploits, hoping to find a vulnerability in the user's computer.
The yahoo.htm file was noted here:
http://www.dslreports.com/forum/r20908087-Myyahoo-downloading-trojans
The office.htm file makes use of the Snapshot Viewer ActiveX vulnerability. As of Patch Tuesday it had not been fixed. I'm not sure if anything new has been issued since.
Those who aren't aware of that exploit, here is an analysis I did:
»www.urs2.net/rsj/computing/tests/snapview/
The sans.org link I reference has a good analysis of w.js:
More SQL Injections - very active right now
»isc.sans.org/diary.html?storyid=4844
While the triggering methods change and become more sophisticated, the end result payloads are pretty much the same and are easily prevented.
Phishing and other social engineering methods require user decisions and these are often more difficult to prevent, depending on the user's knowledge, awareness, and intuition/instinct.
----
| |
Killler Maxxx
@rr.com
| reply to Cabal
said by Cabal  :We are seeing evidence of successful exploitation attempts across hundreds of web pages. As long as they remain successful "attempts" we are in no danger. Hopefully they don't break in and cause an actual infection.
 | |
Kayrac
Premium
join:2001-09-29
Rochester, NH
| reply to Cabal
This is one of the first types of malware i really figured out how to analyze 
I've never seen the 'client' effect what you get redirected to, but i guess thats quite possible, that being said these all link to websites setup that just exploit vulnerabilities, most of the time the vulnerability is actually the page name(real.html) sometimes not , if people would update their software they would be 100% in the clear from this attack btw 
-brian | |
therube
join:2004-11-11
Randallstown, MD
1 edit | reply to Cabal
quote:
New MS SQL attack infects thousands of servers
Is this really "new"?
"Mass Attack FAQ"
»hackademix.net/2008/04/26/mass-attack-faq/
So this was known, at minimum 4 months ago. Sounds like someone is not doing their job.
Seems to me, we're seeing more of the same, more of the same, more of the same. Time & time again. A twist here, a twist there, but all these recent reports seem to be coming full circle.
Flash, ActiveX, vbscript, JavaScript, injections, XSS, you name it. You've seen it before, you'll see it again. | |
-
|
