Feeds

Drive-by download attacks menace UK.gov

No one is safe

SANS - Survey on application security programs

The number of drive-by download attacks has tripled and they are beginning to affect government websites as well as small business operations.

Malicious downloads from compromised websites have replaced infected email attachment as the favourite tactic for malware authors. During the first half of 2008, web security firm Sophos detected 16,173 malicious webpages every day – or one every five seconds. The rate at which infected websites spring up is three times faster than during 2007.

Nine in 10 of these infected webpages are legitimate websites. Hackers use site vulnerabilities - typically SQL injection attacks - to plant malicious scripts on vulnerable targets. These scripts then serve up malware onto the machines of surfers by exploiting browser security holes.

Hackers crawl for victims using automated tools

Tools such as Asprox are used to search for vulnerable websites to use in these drive-by download attacks. The Asprox attack toolkit has been around for years but has become associated with a surge of mass web attacks that started around two months ago in May 2008, Finjan reports.

During the first two weeks of July Finjan detected more than a thousand compromised websites hit by the attack including the official site of the government of the City and County of San Francisco, Microsoft acquisition target atmdt.com, the Queensland government in Australia, BMW in Mexico and soft drink firm Snapple. Governmental (13 per cent) and healthcare (12 per cent) sites feature heavily in the list of compromised domains. UK sites compromised by the attack include an NHS website in Norfolk and 12 local council websites including Hackney Council.

Conventional advice that surfers are relatively safe providing they stay away from smut and warez sites has become redundant in the face of SQL injection attacks using tools like Asprox. The toolkit is programmed to search Google for vulnerable webpages. It then launches SQL injection attacks in order to add a reference to a malware file using the iFrame tag.

Asprox is one example of a tool used to carry out drive-by download attacks. It is not a virus as such, contrary to reports in the mainstream media. The Times, while incorrectly referring to Asprox as a virus, does shed light on the real impact of attacks made using the tool.

Detective Constable Bob Burls, of the Metropolitan Police computer crime unit, told the paper that the tool is associated with a sudden upswing in web-based infections. "The virus got into the job pages of a local council’s internet page," he said. "It’s a new thing that people who visit mainstream websites are clobbered. We’ve dealt with two major websites in as many weeks."

The effect of drive-by-download attacks is illustrated by cases where Trojans planted using the technique are used to compromise online bank accounts.

Ben Taylor, an engineer from South London, told The Times that £560 was fraudulently taken from his bank account this month by malware associated with Asprox. “I only use the internet a few times a week and didn’t look at anything dodgy,” he said. “It’s scary to think that a criminal was controlling my computer. I’ve got rid of it now.”

Clean-up

Sophos reports that firms which have been hit by SQL injection attacks purge the infected code from the database that runs their website but fail to address the underlying vulnerability. As a result they end up getting infected again only a few hours later. Seven in 10 website compromises are associated with SQL injection attacks, according to Graham Cluley, senior technology consultant at Sophos.

"Compromised websites are across the range from mom and pop shops to government websites. There are valid reasons for search engines to allow searches for terms associated with these attacks and it would be hard to eliminate at that end. It's up to firms to make their sites more secure but unfortunately this is not easy because organisation need to test before applying patches to sites," Cluley explained. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.