Feeds

Drive-by download attacks menace UK.gov

No one is safe

The Essential Guide to IT Transformation

The number of drive-by download attacks has tripled and they are beginning to affect government websites as well as small business operations.

Malicious downloads from compromised websites have replaced infected email attachment as the favourite tactic for malware authors. During the first half of 2008, web security firm Sophos detected 16,173 malicious webpages every day – or one every five seconds. The rate at which infected websites spring up is three times faster than during 2007.

Nine in 10 of these infected webpages are legitimate websites. Hackers use site vulnerabilities - typically SQL injection attacks - to plant malicious scripts on vulnerable targets. These scripts then serve up malware onto the machines of surfers by exploiting browser security holes.

Hackers crawl for victims using automated tools

Tools such as Asprox are used to search for vulnerable websites to use in these drive-by download attacks. The Asprox attack toolkit has been around for years but has become associated with a surge of mass web attacks that started around two months ago in May 2008, Finjan reports.

During the first two weeks of July Finjan detected more than a thousand compromised websites hit by the attack including the official site of the government of the City and County of San Francisco, Microsoft acquisition target atmdt.com, the Queensland government in Australia, BMW in Mexico and soft drink firm Snapple. Governmental (13 per cent) and healthcare (12 per cent) sites feature heavily in the list of compromised domains. UK sites compromised by the attack include an NHS website in Norfolk and 12 local council websites including Hackney Council.

Conventional advice that surfers are relatively safe providing they stay away from smut and warez sites has become redundant in the face of SQL injection attacks using tools like Asprox. The toolkit is programmed to search Google for vulnerable webpages. It then launches SQL injection attacks in order to add a reference to a malware file using the iFrame tag.

Asprox is one example of a tool used to carry out drive-by download attacks. It is not a virus as such, contrary to reports in the mainstream media. The Times, while incorrectly referring to Asprox as a virus, does shed light on the real impact of attacks made using the tool.

Detective Constable Bob Burls, of the Metropolitan Police computer crime unit, told the paper that the tool is associated with a sudden upswing in web-based infections. "The virus got into the job pages of a local council’s internet page," he said. "It’s a new thing that people who visit mainstream websites are clobbered. We’ve dealt with two major websites in as many weeks."

The effect of drive-by-download attacks is illustrated by cases where Trojans planted using the technique are used to compromise online bank accounts.

Ben Taylor, an engineer from South London, told The Times that £560 was fraudulently taken from his bank account this month by malware associated with Asprox. “I only use the internet a few times a week and didn’t look at anything dodgy,” he said. “It’s scary to think that a criminal was controlling my computer. I’ve got rid of it now.”

Clean-up

Sophos reports that firms which have been hit by SQL injection attacks purge the infected code from the database that runs their website but fail to address the underlying vulnerability. As a result they end up getting infected again only a few hours later. Seven in 10 website compromises are associated with SQL injection attacks, according to Graham Cluley, senior technology consultant at Sophos.

"Compromised websites are across the range from mom and pop shops to government websites. There are valid reasons for search engines to allow searches for terms associated with these attacks and it would be hard to eliminate at that end. It's up to firms to make their sites more secure but unfortunately this is not easy because organisation need to test before applying patches to sites," Cluley explained. ®

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.