January 17th, 2008 by Paul Ferguson (Advanced Threats Researcher)
Being an old-school network engineering flunky, with a heavy dose of network security discipline, it somehow never ceases to amaze me that people just don’t seem learn from their mistakes — or other people’s mistakes, as the case may be.
Almost five (5) years ago, the SQL Slammer worm should have made people realize that having these types of critical infrastructure resources accessible from the The Internet is just a really, really bad idea.
But apparently people just don’t seem to learn from the past.
Very recently, we have seen thousands of webpages which have been compromised via (suspected) SQL Injection attack, which in turn lead to web threats which put hundreds of thousands of potential Internet users at risk of being compromised.
The end-game here is that these unwitting users could be victimized via identity theft, credit card credential theft, or worse.
Today, we learn about a tool floating around in the “underground” called sqlmap:
sqlmap is an automatic SQL injection tool entirely developed in Python. It is capable to perform an extensive database management system back-end fingerprint, retrieve remote DBMS databases, usernames, tables, columns, enumerate entire DBMS, read system files and much more taking advantage of web application programming security flaws that lead to SQL injection vulnerabilities.
This is very bad news for a lot of websites who continue to allow their back-end SQL systems to be exposed to The Internet.
This is just a bad, bad practice and should be discouraged at every opportunity.
Ryan Naraine wrote back in mid-November 2007 on ZDNet’s “Zero Day” Blog that:
A survey by renowned database hacker David Litchfield has found a whopping 492,000 Microsoft SQL and Oracle database servers directly accessible to the Internet without firewall protection.
Litchfield, co-founder of Next Generation Security Software, ran port scans against 1,160,000 random IP addresses — TCP port 1433 (SQL Server) and 1521 (Oracle) — and found about 368,000 Microsoft SQL Servers directly accessible on the Internet and around 124,000 unprotected Oracle database servers.
You do the math — it all adds up to some really bad numbers in my book.
If organizations do not do more to protect their back-end systems, they will be compromised, and their brand name and business may suffer as a result.
Did I mention this is bad?
Clarification added (11:35 PST, 18 Jan. 2008): It appears that this SQL Injection tool accomplishes it’s work by finding and exploiting SQL Injection flaws on public-facing webpages which might contain, for instance, CGI forms — so that the SQL database server itself does not have to be directly, publicly accessible.
While this, of course, doesn’t negate the fact that SQL database servers still should not be publicly accessible, this puts additional focus on the need to ensure that public-facing webpages are properly & securely implemented.
“Fergie”, a.k.a. Paul Ferguson
Internet Security Intelligence
Advanced Threats Research
January 17th, 2008 by Robert McArdle (Threats Analyst)
Valentine’s Day (February 14th) is a day originally named after the two Christian martyrs who died over 1700 years ago. Nowadays, of course, it is a day of love, happiness, and men frantically trying at the last minute to find a florist that still has roses in stock. Since the 19th century’s introduction of greeting cards, Valentine’s Day has become more commercialised, and — for many companies — a huge source of revenue. Not known for being slow on the uptake, the malware industry has for years taken advantage of this holiday to huge effect. With less than a month to go (and with the obvious culprits already jumping the gun), here is short look back down memory lane at the Valentine’s Day malware of the 21st century:
- 2007: WORM_NUWAR.AAI
Storm again the culprit here, with an email containing a large set of subjects. This was before Storm really started to use links to sites with vulnerabilities, so attachments such as Greeting card.exe were the attack vector. An interesting trick used by the malware was to randomly generate the email address in the From field to come from one of the long list of girls’ names… everything from “Aldora” to “Zilya”. Maybe the authors thought that men would be the only ones foolish enough to open the attachment. Judging by the growth of the Storm botnet around that time, it appears they were right.
- 2006: WORM_BAGLE.EW
Spread via email with subjects such as “Will You Be My Valentine?” and “Love you with all my heart!”, this threat also included one of three romantic poems and a background full of images of the classic Valentine’s Day heart to entice the user to open the attached love_me.exe.
- 2005: WORM_KIPIS.E
Another mass-mailer with all the normal trimmings. Although they had normal attachments with names like Valentine.exe, other names such porno_03.exe were kind of missing the point of the holiday.
- 2003: TROJ_CUPIDCARD.A
This was actually a piece of adware instead of a mass-mailing worm. In addition to the normal, it would launch a clean file called “VALSDAY.EXE” that showed the following ecard:
- 2002: VBS_NUMGAME.A
Want to play a game? No, its not another awful SAW movie, but a good ol’ fashioned threat from the days before we even thought of the word “cybercrime”. Posing as a number-guessing game (hence the clever name) from your Valentine, this nasty little thing resets your system date…oh, and also deletes the contents of your hard drive.
- 2001: VBS_VALENTIN.A
Another “old-style threat” with a payload that is triggered on February 14th. All files on an affected machine are overwritten by a Spanish love note written by the malware author who is supposedly professing his love for “Davinia, the most beautiful girl in the world”. The author assures the users not to worry, as their files have not been infected by a virus, but merely “sacrified for the love I feel for Davinia”. Not very comforting to be honest.
So remember folks, although the Storm crew have already got the show on the road, they won’t be the only ones. So if you receive a romantic email over the next couple of weeks from an address you don’t recognise (or from one that you do, for that matter), for your sake I really do hope it’s from the Brad Pitt/Angelina Jolie look-alike who just started last week in the desk opposite yours.
However, it might be a good idea to just play safe and delete that email. After all, if they really did want to be your Valentine, they would be down in the florists frantically trying to buy those last roses.
January 17th, 2008 by Jasper Pimentel (Advanced Threats Researcher)
On January 15, Microsoft released Security Advisory (947563), which reports of a newly discovered vulnerability in Microsoft Excel. This vulnerability allows a remote user to execute code on the affected system once the victim opens a specially crafted Excel file with malformed headers.
This vulnerability affects the following software:
- Microsoft Office Excel 2003 Service Pack 2
- Microsoft Office Excel Viewer 2003
- Microsoft Office Excel 2002
- Microsoft Office Excel 2000
- Microsoft Excel 2004 for Mac
According to Microsoft, “At this time, we are aware only of targeted attacks that attempt to use this vulnerability.” Note that this vulnerability is still under investigation. Although the risk at this time seems to be limited, it is highly probable that malicious authors are already trying to exploit this vulnerability, knowing especially that Office documents can be effective vectors of infection for malicious attacks. Users should be extra vigilant of Office files that they receive from untrusted sources or that are received unexpectedly from trusted sources.
More information about this vulnerability can be found on this site:
