Mass Attack - March Madness?

Posted by Gunter Ollmann on March 13, 2008 at 12:58 PM EDT.

I’m hoping you’ve all been following the latest mass web defacement and have ensured that your desktop systems are fully patched, and that you’re running a good anti-virus solution (with latest updates) because, if you’re not, it’s not particularly safe to be browsing the Web today – even browsing your favorite “safe” sites.

There have been a number of news articles about the mass defacements, and some analysis of the infection vectors.  In general, “more of the same” from an iFrame malware infection perspective (another JavaScript (.js) file hosted on a source server in China), but I guess what makes this interesting (enough so that I’ve resorted to blogging about it) is the nature of the mass Web server/content compromise.

At last count there were around 10,000 affect sites (with that number decreasing by the hour as the altered content is removed and the compromise vector shut down) through what initially appears to have been a combined IIS+ASP+SQL vector (which matches with the vector reported for the infamous Super Bowl attack). Could this be the same group of criminals conducting both attacks? To my mind there is a high probability, but then again, there was more than enough information posted about the last attacks that most script-kiddies could launch the same attack (this is trivial stuff).

A point worth making about this mass attack (and most other mass attacks) is that they begin with reconnaissance to identify the vulnerable targets well in advance of the actual attack – and, in some cases, a scaled down “proof-of-concept” attack may precede the ‘biggie’ by a few weeks.

In most cases the reconnaissance can be detected using current generation security tools – but the weakness in stopping the actual mass attack lies in the transition from alert to action. Basically, the tools raise the alert, but it’s down to the fleshware operator to understand its significance and take action in fixing the underlying vulnerabilities. To help combat this, I’d recommend organizations look closely at their helpdesk ticketing systems to make sure that reconnaissance events like this don’t get lost and are tracked to a remediation conclusion.

At the client-side of the current mass attacks, it’s interesting to note that the exploits being used to download and install the actual malware are pretty old.  For example, the attacks attempt to exploit MS06-014 (an old MDAC vulnerability from 2006), some newish RealPlayer vulnerabilities, and a handful of other lesser known ActiveX controls.

What’s the takeaway from this? Well, the threat landscape continues to evolve but this particular attack should drive home the fact that the Web isn’t a friendly place – even visiting a shorten list of trusted, commercial, well respected Web sites can still lead to a host compromise. Make sure you patch and update your protection frequently.

    Copyright 2001-2008 © Gunter Ollmann