Malware in the safezone

What do the Association of Tennis Professionals (ATP) and Sony’s Playstation – specifically the games SingStar Pop and God of War – have in common?

In the last two months, the websites of both organisations have been hit by ‘SQL injection’ attacks capable of downloading malicious code onto visitors’ PCs. Both sites are high-traffic (ATP was infected in the lead up to Wimbledon), and both had their security failings aired in public by security firm Sophos.

“Our aim is to never cause any embarrassment to the affected organisation (they are after all the victims of a criminal act), but to notify the Internet community and our customers,” claims Mark Harris, director of Sophos.

Visitors to the Sony games sites were shown a fake online security scan and flashing warnings intended to scare inexperienced users into buying a dubious antivirus program that would ‘fix’ the problem – in the process collecting their credit card details. Internet veterans might say that is simply a case of caveat emptor, but Sophos executives argue that once a site is compromised it is “trivial” for a cyber-criminal to alter the payload into something more sinister, such as a keylogger.

Sony quickly fixed the problem in the wake of the negative publicity. But many companies fail to react: “It is not uncommon to receive no response from the owners of an infected website [when notified of an exploit by Sophos], and to still find it infected days later,” Harris says. “During that time, hundreds if not thousands of innocent Internet users could have been unwittingly hit by the malware infection.”

Bad queries

SQL injection attacks are fairly simple. The hacker either targets directly or uses an advanced Google search string to discover vulnerable sites, then attacks the database under the target website by sending it programming scripts through insecure form fields (such as name and address boxes). While a vulnerable database will happily perform functions such as emailing user lists and ‘forgotten’ passwords to cyber-criminals, more malevolent scripts can “drag in even more malicious code,” explains senior Sophos consultant Graham Cluley, and even upload it to users with vulnerable browsers.

“Some people regularly go through their databases removing the scripts, but they don’t change the underlying problem and get re-infected almost immediately,” he says.

The application of expensive security appliances is a remedial approach but good programming is enough to prevent most attacks. “If fields ask for a name, limit them to a maximum of 25 characters and don’t allow brackets,” Cluley suggests.

Still, despite the ease of prevention, the number of web-based attacks against legitimate websites has skyrocketed in the last few months. Sophos detected an average of 16,173 infected web pages a day in the first six months of 2008, three times that of last year. As this method has ramped up, email has declined as the preferred means of malware distribution.

“Last year one in 332 emails were malicious. This year it was down to one in 1,500,” says Cluley. “The web has become the battlefield.”

Botnet blitz

A surge in attacks in May led to the discovery that the Asprox botnet, which has previously been used to run phishing scams, had reinvented itself as a director of SQL injection attacks. Thought to be responsible for the Sony attack, Asprox searches for vulnerable sites over Google, then delivers an affiliate’s payload while simultaneously expanding its botnet network – effectively spreading like a worm virus. Secure gateway firm Finjan reports that during the first two weeks of July, Asprox compromised more than 1,000 sites.

The exponential scaling and high level of automation offered by such botnets means potentially any vulnerable site – government, private or business – will eventually be found and compromised; in fact, 90% of sites containing malicious code are legitimate, according to Sophos.

“These are genuine companies doing genuine business,” says Cluley. “It makes it hard to give common sense advice, because any site can be infected. In the old days we could just tell people to avoid risky sites like gambling and porn, but you can’t say things like ‘sites about bird watching are more likely to be infected’.”

The impact of each incident varies, and can be offset from the user perspective by disabling scripts and keeping web browsers updated. But for the compromised business “it’s hard to quantify the loss of reputation,” Cluley says. “And if a site belonging to a financial institution comes down, for example, you can imagine what that costs.”

Further reading:

Six month malware snapshot

  • * Call it the pre-Olympics clean up, but malware activity originating in China plummeted from 56% to 31%.
  • * The return of the polymorphic virus. These viruses take months to write and are very different to the usual conveyor-belt mass-produced rubbish. They are crafted by enthusiasts trying to impress anti-virus companies and each other, but the danger is that these people will be hired by criminal gangs, says Sophos’s Graham Cluley.
  • * Cross-platform and Apple-focused attacks are on the rise, taking advantage of Apple’s growing popularity and the security complacency of Mac users. “Windows users have been living in the blitz for years,” Cluley says.
  • * Emerging malware on mobile devices like the iPhone: As the device has no keyboard, users are more likely to click on web addresses in emails, increasing the likelihood of them falling prey to a phishing scam.

Related Topics