Feeds

Drive-by download attacks menace UK.gov

No one is safe

Top 5 reasons to deploy VMware with Tegile

The number of drive-by download attacks has tripled and they are beginning to affect government websites as well as small business operations.

Malicious downloads from compromised websites have replaced infected email attachment as the favourite tactic for malware authors. During the first half of 2008, web security firm Sophos detected 16,173 malicious webpages every day – or one every five seconds. The rate at which infected websites spring up is three times faster than during 2007.

Nine in 10 of these infected webpages are legitimate websites. Hackers use site vulnerabilities - typically SQL injection attacks - to plant malicious scripts on vulnerable targets. These scripts then serve up malware onto the machines of surfers by exploiting browser security holes.

Hackers crawl for victims using automated tools

Tools such as Asprox are used to search for vulnerable websites to use in these drive-by download attacks. The Asprox attack toolkit has been around for years but has become associated with a surge of mass web attacks that started around two months ago in May 2008, Finjan reports.

During the first two weeks of July Finjan detected more than a thousand compromised websites hit by the attack including the official site of the government of the City and County of San Francisco, Microsoft acquisition target atmdt.com, the Queensland government in Australia, BMW in Mexico and soft drink firm Snapple. Governmental (13 per cent) and healthcare (12 per cent) sites feature heavily in the list of compromised domains. UK sites compromised by the attack include an NHS website in Norfolk and 12 local council websites including Hackney Council.

Conventional advice that surfers are relatively safe providing they stay away from smut and warez sites has become redundant in the face of SQL injection attacks using tools like Asprox. The toolkit is programmed to search Google for vulnerable webpages. It then launches SQL injection attacks in order to add a reference to a malware file using the iFrame tag.

Asprox is one example of a tool used to carry out drive-by download attacks. It is not a virus as such, contrary to reports in the mainstream media. The Times, while incorrectly referring to Asprox as a virus, does shed light on the real impact of attacks made using the tool.

Detective Constable Bob Burls, of the Metropolitan Police computer crime unit, told the paper that the tool is associated with a sudden upswing in web-based infections. "The virus got into the job pages of a local council’s internet page," he said. "It’s a new thing that people who visit mainstream websites are clobbered. We’ve dealt with two major websites in as many weeks."

The effect of drive-by-download attacks is illustrated by cases where Trojans planted using the technique are used to compromise online bank accounts.

Ben Taylor, an engineer from South London, told The Times that £560 was fraudulently taken from his bank account this month by malware associated with Asprox. “I only use the internet a few times a week and didn’t look at anything dodgy,” he said. “It’s scary to think that a criminal was controlling my computer. I’ve got rid of it now.”

Clean-up

Sophos reports that firms which have been hit by SQL injection attacks purge the infected code from the database that runs their website but fail to address the underlying vulnerability. As a result they end up getting infected again only a few hours later. Seven in 10 website compromises are associated with SQL injection attacks, according to Graham Cluley, senior technology consultant at Sophos.

"Compromised websites are across the range from mom and pop shops to government websites. There are valid reasons for search engines to allow searches for terms associated with these attacks and it would be hard to eliminate at that end. It's up to firms to make their sites more secure but unfortunately this is not easy because organisation need to test before applying patches to sites," Cluley explained. ®

Internet Security Threat Report 2014

More from The Register

next story
'Kim Kardashian snaps naked selfies with a BLACKBERRY'. *Twitterati gasps*
More alleged private, nude celeb pics appear online
Home Depot ignored staff warnings of security fail laundry list
'Just use cash', former security staffer warns friends
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
UK.gov lobs another fistful of change at SME infosec nightmares
Senior Lib Dem in 'trying to be relevant' shocker. It's only taxpayers' money, after all
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Freenode IRC users told to change passwords after securo-breach
Miscreants probably got in, you guys know the drill by now
THREE QUARTERS of Android mobes open to web page spy bug
Metasploit module gobbles KitKat SOP slop
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.