Feeds

Drive-by download attacks menace UK.gov

No one is safe

Seven Steps to Software Security

The number of drive-by download attacks has tripled and they are beginning to affect government websites as well as small business operations.

Malicious downloads from compromised websites have replaced infected email attachment as the favourite tactic for malware authors. During the first half of 2008, web security firm Sophos detected 16,173 malicious webpages every day – or one every five seconds. The rate at which infected websites spring up is three times faster than during 2007.

Nine in 10 of these infected webpages are legitimate websites. Hackers use site vulnerabilities - typically SQL injection attacks - to plant malicious scripts on vulnerable targets. These scripts then serve up malware onto the machines of surfers by exploiting browser security holes.

Hackers crawl for victims using automated tools

Tools such as Asprox are used to search for vulnerable websites to use in these drive-by download attacks. The Asprox attack toolkit has been around for years but has become associated with a surge of mass web attacks that started around two months ago in May 2008, Finjan reports.

During the first two weeks of July Finjan detected more than a thousand compromised websites hit by the attack including the official site of the government of the City and County of San Francisco, Microsoft acquisition target atmdt.com, the Queensland government in Australia, BMW in Mexico and soft drink firm Snapple. Governmental (13 per cent) and healthcare (12 per cent) sites feature heavily in the list of compromised domains. UK sites compromised by the attack include an NHS website in Norfolk and 12 local council websites including Hackney Council.

Conventional advice that surfers are relatively safe providing they stay away from smut and warez sites has become redundant in the face of SQL injection attacks using tools like Asprox. The toolkit is programmed to search Google for vulnerable webpages. It then launches SQL injection attacks in order to add a reference to a malware file using the iFrame tag.

Asprox is one example of a tool used to carry out drive-by download attacks. It is not a virus as such, contrary to reports in the mainstream media. The Times, while incorrectly referring to Asprox as a virus, does shed light on the real impact of attacks made using the tool.

Detective Constable Bob Burls, of the Metropolitan Police computer crime unit, told the paper that the tool is associated with a sudden upswing in web-based infections. "The virus got into the job pages of a local council’s internet page," he said. "It’s a new thing that people who visit mainstream websites are clobbered. We’ve dealt with two major websites in as many weeks."

The effect of drive-by-download attacks is illustrated by cases where Trojans planted using the technique are used to compromise online bank accounts.

Ben Taylor, an engineer from South London, told The Times that £560 was fraudulently taken from his bank account this month by malware associated with Asprox. “I only use the internet a few times a week and didn’t look at anything dodgy,” he said. “It’s scary to think that a criminal was controlling my computer. I’ve got rid of it now.”

Clean-up

Sophos reports that firms which have been hit by SQL injection attacks purge the infected code from the database that runs their website but fail to address the underlying vulnerability. As a result they end up getting infected again only a few hours later. Seven in 10 website compromises are associated with SQL injection attacks, according to Graham Cluley, senior technology consultant at Sophos.

"Compromised websites are across the range from mom and pop shops to government websites. There are valid reasons for search engines to allow searches for terms associated with these attacks and it would be hard to eliminate at that end. It's up to firms to make their sites more secure but unfortunately this is not easy because organisation need to test before applying patches to sites," Cluley explained. ®

Mobile application security vulnerability report

More from The Register

next story
Yorkshire cops fail to grasp principle behind BT Fon Wi-Fi network
'Prevent people that are passing by to hook up to your network', pleads plod
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
NEW, SINISTER web tracking tech fingerprints your computer by making it draw
Have you been on YouPorn lately, perhaps? White House website?
BMW's ConnectedDrive falls over, bosses blame upgrade snafu
Traffic flows up 20% as motorway middle lanes miraculously unclog
LibreSSL RNG bug fix: What's all the forking fuss about, ask devs
Blow to bit-spitter 'tis but a flesh wound, claim team
Attackers raid SWISS BANKS with DNS and malware bombs
'Retefe' trojan uses clever spin on old attacks to grant total control of bank accounts
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
prev story

Whitepapers

Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Reducing security risks from open source software
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Consolidation: the foundation for IT and business transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.