http://www.provos.org/ systrace, spybye and other things. en Serendipity 1.3.1 - http://www.s9y.org/ http://www.provos.org/index.php?/archives/92-Lizamoon-SQL-Injection-Campaign-Compared.html Hacking Malware News Security SpyBye http://www.provos.org/index.php?/archives/92-Lizamoon-SQL-Injection-Campaign-Compared.html#comments http://www.provos.org/wfwcomment.php?cid=92 5 http://www.provos.org/rss.php?version=2.0&type=comments&cid=92 nospam@example.com (Niels Provos) Malware infections such as <a href="https://secure.wikimedia.org/wikipedia/en/wiki/SQL_injection">SQL injection</a> are a well known security problem. Over the past two years we have seen several large-scale infections on the web, e.g. <i>Gumblar.cn</i> and <i>Martuz.cn</i>. Recently, a new SQL injection campaign called <a href="http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx">Lizamoon</a> has gained a lot of attention. I had expected web sites would become more secure over time and less susceptible to simple security problems, so it is surprising that SQL injection is still a prevalent problem. That let me to wonder: Was <i>Lizamoon</i> as successful as previous infections? In a discussion about this problem, my colleague Panayiotis Mavrommatis suggested that <a href="http://blog.isovitis.com/2011/03/estimating-web-malware-infections.html">comparing the size of campaigns via search engine result estimates</a> might not be very accurate measurement.<br /> <br /> That begs the question of how to assess the impact of infections. While the number of infected URLs is one possible measure, it is skewed by many different factors, e.g. a single vulnerable site contributes a large fraction of the infected URLs and overstates the impact. Instead, counting the number of infected sites might be a better metric. Even so, to judge the relative scale of an infection campaign, it might be helpful to compare it to previous incidents.<br /> <br /> Below is a comparison of the <i>Gumblar.cn/</i>, <i>Martuz.cn/</i> and <i>Lizamoon</i> infections based on <a href="https://code.google.com/apis/safebrowsing/">Google's Safe Browsing </a>data. The graph shows the number of unique infected sites over a 30 day sliding window.<br /> <a class='serendipity_image_link' href='http://www.provos.org/uploads/LizamoonCompared.jpg' onclick="F1 = window.open('/uploads/LizamoonCompared.jpg','Zoom','height=2224,width=2974,top=-579.5,left=-639.5,toolbar=no,menubar=no,location=no,resize=1,resizable=1,scrollbars=yes'); return false;"><!-- s9ymdb:15 --><img class="serendipity_image_center" width="600" height="448" style="border: 0px; padding-left: 5px; padding-right: 5px;" src="http://www.provos.org/uploads/LizamoonComparedSmall.jpg" alt="" /></a><br /> For this analysis, I counted the sites that had a functioning reference to it, e.g. a <i>script src=</i>. Sites that escaped the <i>script</i> tag rendering it harmless were not counted. For <i>Lizamoon</i>, I aggregated the sites provided by the <a href="http://community.websense.com/blogs/securitylabs/archive/2011/03/29/lizamoon-mass-injection-28000-urls-including-itunes.aspx">websense blog</a> into a single measure:<br /> <blockquote><br /> hxxp://lizamoon.com/<br /> hxxp://tadygus.com/<br /> hxxp://alexblane.com/<br /> hxxp://alisa-carter.com/<br /> hxxp://online-stats201.info/<br /> hxxp://stats-master111.info/<br /> hxxp://agasi-story.info/<br /> hxxp://general-st.info/<br /> hxxp://extra-service.info/<br /> hxxp://t6ryt56.info/<br /> hxxp://sol-stats.info/<br /> hxxp://google-stats49.info/<br /> hxxp://google-stats45.info/<br /> hxxp://google-stats50.info/<br /> hxxp://stats-master88.info/<br /> hxxp://eva-marine.info/<br /> hxxp://stats-master99.info/<br /> hxxp://worid-of-books.com/<br /> hxxp://google-server43.info/<br /> hxxp://tzv-stats.info/<br /> hxxp://milapop.com/<br /> hxxp://pop-stats.info/<br /> hxxp://star-stats.info/<br /> hxxp://multi-stats.info/<br /> hxxp://google-stats44.info/<br /> hxxp://books-loader.info/<br /> hxxp://google-stats73.info/<br /> hxxp://google-stats47.info/<br /> hxxp://google-stats50.info/<br /> </blockquote><br /> The graph shows two interesting facts.<ul><li>The Lizamoon campaign started around September 2010 and actually peaked in October 2010 with <b>~5600</b> infected sites. At the moment, it seems to be undergoing a revival.</li><li>If we compare the number of infected sites, <i>Gumblar.cn/</i> is still clearly the winner with <b>~62,000</b> sites, followed closely by <i>Martuz.cn/</i>.</li></ul>For future studies of malware infections, I suggest taking the number of infected sites as a more reliable measure than counting the number of infected URLs.<br /> <strong><br /> Update 2011-04-04:</strong> The blog post incorrectly referred to <i>Gumblar.cn</i> and <i>Martuz.cn/</i> as SQL injection attacks. These attacks used stolen FTP credentials.<br /> Sun, 03 Apr 2011 15:24:20 -0700 http://www.provos.org/index.php?/archives/92-guid.html malware security sql injection http://www.provos.org/index.php?/archives/53-SQL-Injection-Redux.html Malware SpyBye http://www.provos.org/index.php?/archives/53-SQL-Injection-Redux.html#comments http://www.provos.org/wfwcomment.php?cid=53 0 http://www.provos.org/rss.php?version=2.0&type=comments&cid=53 nospam@example.com (Niels Provos) <a class='serendipity_image_link' href='http://www.provos.org/uploads/sql-injection.png'><!-- s9ymdb:8 --><img class="serendipity_image_left" width="200px" height="103px" style="float: left; border: 0px; padding-left: 5px; padding-right: 5px;" src="http://www.provos.org/uploads/sql-injection-small.png" alt="" /></a>During my <a href="http://www.usenix.org/events/sec08/tech/tech.html#provos">invited talk</a> on web-based malware at USENIX Security, I mentioned <a href="http://en.wikipedia.org/wiki/SQL_injection">SQL Injection</a> as one of the more popular means of compromising web servers. Although I did not have a chance to post my slides, here is one graph that shows how many URLs with drive-by downloads due to SQL injection were found by Google's infrastructure in July 2008; it's over 800,000 URLs. Curiously, most of these were due to the <a href="http://msmvps.com/blogs/harrywaldron/archive/2008/05/16/asprox-botnet-installs-sql-injection-tool.aspx">Asprox botnet</a>.<br /> <br /> The situation has slightly changed since then, Asprox has become quiet and most of the SQL Injection attacks seem to originate from Chinese sites. One way to determine if a site has been injected with malicious content is the <a href="http://googleonlinesecurity.blogspot.com/2008/05/safe-browsing-diagnostic-to-rescue.html">Safe Browsing diagnostic page</a> which shows infection domains and also how many sites they compromised. Here is an example of a Chinese SQL injection domain, <a href="http://www.google.com/safebrowsing/diagnostic?site=ko118.cn">ko118.cn</a>.<br /> <br /> To help web application developers, OWASP has published detailed guidelines on <a href="http://www.owasp.org/index.php/Guide_to_SQL_Injection">preventing SQL injection</a> attacks. More importantly if your web site was SQL injected, its database needs to be cleaned to <a href="http://www.google.com/search?q=cleaning+sql+injection">remove the injected content</a>. Tue, 25 Nov 2008 20:59:35 -0800 http://www.provos.org/index.php?/archives/53-guid.html malware security sql injection usenix