Search My Blog

Thursday, June 16, 2011

New Injection Attack: 30,000 Websites? -

New Injection Attack: 30,000 Websites?

Over the last several years SQL injection has become one of the most common types of Web attack. According to security vendor Armorize, there is a new type of injection attack now on the horizon that may end up being even more widespread and dangerous. In fact, Amorize estimates that as many as 30,000 website might already be infected.

Mass meshing is a new type of redirection attack that differs from SQL injection in a number of critical ways. The most damaging difference is how users can mitigate the risks of a SQL injection versus the difficulties of defending against a Mass Meshing attack.

"The mass mesh victim sites are injected with JavaScript, but not to a small set of malicious redirectors, they are injected with malicious JavaScript that point to each other in a mesh," Wayne Huang, CTO at Armorize told "So the infected websites themselves are re-directors."

The mass mesh approach is in contrast with a traditional SQL injection attack where the site is injected with a malicious script that includes a redirector to a harmful domain. Those harmful domains can then just be blacklisted as a means of defense. With mass meshing, since the meshed sites are legitimate and always changing, it's significantly more difficult to simply block URLs.

With SQL injection, an attacker exploits some kind of SQL flaw in order to inject code. With mass meshing, Huang said the attacker is in complete control of a website.

"So we believe this injection is not SQL but rather is done through control of infected sites using an automated FTP program," Huang said.

Huang suspects that the attackers have somehow gained access to site login credentials, which are then used by the FTP program to access the site and inject the mass meshing script.

"Some may have obtained access through shared hosting vulnerabilities, but also through Web admins that have been infected with other malware," Huang said. "There is also malware that sniffs FTP traffic."

If a site admin connects to their server through an unencrypted FTP link, someone else on the wire can "sniff" the password. Huang admitted it's not entirely clear how site access was obtained. He also noted that he hasn't yet been able to examine site logs for infected sites to try and positively identify the source IP or route taken by the mass meshing injection attackers.


What next?!:O


No comments: