Drive By Hacking; A Story From the Field

I was at a customer site the other day conducting a bit of forensic analysis for an upcoming security TechWiseTV show. This customer was not happy about the SQL injection attacks some of his users were getting. He conducted training with his staff and end users, yet still, folks came back with Bots, keyloggers, etc... He was more angry then Chicago Cubs fan in October. Looking at what was going on, it appeared to be an classic drive by download attack and not a SQL injection. A drive by works kinda like this; A hacker attacks a web server with a SQL injection to act as a man in the middle between the user facing web application and the SQL database that supports it. Now a SQL injection can really do a lot of different things to get that database to present and do stuff it was not supposed to do. However, in this case, it was a classic ASPROX. It would transparently redirect the user to a hacker mirror that would launch a dark javascript to do an footprinting of the client machine. This is so common a attack that Sophos detected over 16K legitimate web pages were hit with this attack the first half of 2008. If you love math as much as me, you can see that averages out to about one page every five seconds. That is x3 what it was in all of 2007! After the hacker site determined the type and patch level of the OS, the hacker site just launched a simple iFrame redirect to send the user to the server that hosting the vuln exploiter for that OS. Simple, automated and transparent. Now that is goooood codin'! In the end, we found that many users exploited would go to a online gaming site at lunchtime and play poker. Their machines would be patched up on patch Tuesday, be OK for a bit then all of the sudden these clients would bring back all kinds of nastyware to the LAN. Kinda like the Malware version of the Circle of Life...sing it with me!!! Their ASA was good at stopping this data from being delivered back to the Sith Lair of Hackerdom, but in the end we needed two things: Understand the terms. Clients were not being hit by SQL injection. They were indirectly attacked. Many hours of troubleshooting were lost due to terminology. And finally, my old steady as the Mediterranean; CSA was immediately put to use on all clients. Now when we educated the end users, they understood what to look for. This customer really worked hard to solve this issue, but was not making any headway. Network security a lot of times is not like the movie Rudy. Heart does not matter as much as having a hacker mind. Gotta go it is my turn to ante up... Jimmy ray

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2008 IDG Communications, Inc.