Foreign Web Attacks Change Security Paradigm

Traditional security systems may be ineffective and become obsolete in warding off Web attacks launched by countries, according to Val Smith, founder of Attack Research. New attack trends include blog spam and SQL injections from Russia and China, Smith said during his talk at the Source Boston Security Showcase on Friday.

"Client-side attacks are where the paradigm is going," Smith said. "Monolithic security systems no longer work."

Hackers use Web browsers as exploitation tools to spread malware and collect sensitive information. Smith used examples from clients of his company, which analyzes and researches computer attacks, to demonstrate the threat posed by blog spam and SQL attacks.

Attackers targeted high-traffic sites with blog spam and posted comments on blogs, he said. The comments looked odd and tended to have non-English phrases placed in large blocks of text with random words hyperlinked, he said. Clicking on such links took users to sites that seemed like blogs but were pages loaded with malware, Smith said.

A Chinese bank owned the domains for each malware site, but the IP (Internet Protocol) addresses traced to Germany. Studying the links revealed that each one contained words in Russian or Romanian, said Smith. By placing an international spin on their nefarious activities, the hackers hoped to confuse anyone investigating their work, he said.

"How are you going to track these back to the bad guys?" he said, noting that tracking is complicated by language barriers, working with foreign law organizations and dealing with countries "that just may not want to talk to us."

While the goals of blog spam attacks remain unclear, Smith said financial incentives serve as motivation. Adware installed after a user visits an infected site nets a hacker money, as does clicking on an advertisement on the page. Other hackers are looking to expand their botnets, or networks of compromised machines used for malevolent purposes.

Smith's investigation traced the attacks to a home DSL account in Russia. The international nature of the incident made prosecution unlikely, he said.

The SQL injection attack Smith discussed originated in China and attempted to steal information on the businesses that visited the Web site of the company, which was Smith's client.

Hackers first launched a SQL injection and uploaded a back door that allowed them to take control of the system.

Additional SQL injections failed, so the hackers searched the system for another exploit. They found a library application that allows images to be uploaded. Hackers uploaded a GIF file with a line of code contained in the image. The computer system read the GIF tag and uploaded the photo and automatically executed the code.

Hackers "targeted an app that is custom-written, in-house, and launched a specific attack against that app," Smith said.

Hackers eventually placed "iFrame" HTML code on every page of the company's Web site. The iFrames redirected the victim's browser to a server that infects the computer using a tool called "MPack." This tool profiled a victim's OS and browser and launched attacks based on that information.

The result is that victims are getting hit with multiple attacks, said Smith.

Today, SQL injection attacks are the top threat to Web security, said Ryan Barnett, director of application security at Breach Security, in an interview separate from the conference.

Last year, cybercriminals began unleashing massive Web attacks that have compromised more than 500,000 Web sites, according to the security vendor.

"They started off in January and went through essentially the whole year," said Barnett. Previously, crafting a SQL injection attack took time, but last year attackers created worm code that could automatically seek out and break into hundreds of thousands of sites very quickly.

Now, instead of stealing data from the hacked Web sites, the bad guys are increasingly turning around and planting malicious scripts that attack the site's visitors. "Now the site is becoming a malware depot," he said.

(Bob McMillan in San Francisco contributed to this report.)

Subscribe to the Security Watch Newsletter

Comments