
During my
invited talk on web-based malware at USENIX Security, I mentioned
SQL Injection as one of the more popular means of compromising web servers. Although I did not have a chance to post my slides, here is one graph that shows how many URLs with drive-by downloads due to SQL injection were found by Google's infrastructure in July 2008; it's over 800,000 URLs. Curiously, most of these were due to the
Asprox botnet.
The situation has slightly changed since then, Asprox has become quiet and most of the SQL Injection attacks seem to originate from Chinese sites. One way to determine if a site has been injected with malicious content is the
Safe Browsing diagnostic page which shows infection domains and also how many sites they compromised. Here is an example of a Chinese SQL injection domain,
ko118.cn.
To help web application developers, OWASP has published detailed guidelines on
preventing SQL injection attacks. More importantly if your web site was SQL injected, its database needs to be cleaned to
remove the injected content.
The
CfP for the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '09): Botnets, Spyware, Worms, and More is up at:
- http://www.usenix.org/event/leet09/cfp/.
LEET '09 will be held on April 21, 2009 in Boston, MA immediately before the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI '09), which will take place April 22–24, 2009.
Important Dates
- Submissions due: January 16, 2009, 11:59 p.m. EST
- Notification of acceptance: March 2, 2009
- Electronic files due: March 30, 2009
This will be the second edition of LEET, which had evolved from the combination of two other successful workshops, the ACM Workshop on Recurring Malcode (WORM) and the USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). These two workshops have each dealt with aspects of this problem. However, while papers relating to both worms and botnets are explicitly solicited, LEET has a broader charter than its predecessors. We encourage submissions of papers that focus on any aspect of the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, or the social and economic networks driving these threats.


Earlier this year, I published the fantasy novel my father wrote 15 years. This was an interesting experience, as I had to do editing, layout and printing all by myself. To make it a proper book, I even registered an ISBN number and was surprised to find out that this was not sufficient to make it appear on any of the online book stores. However, Amazon has a program that allows one to enter any item into their catalog for approximately $50/year. So, I joined Amazon Advantage and anyone can buy
Sargons Schatz at Amazon now. As this is a German book published in an English speaking country, I don't expect many prospective buyers - we will see.

I just finished a three day
bladesmithing class with
Grant Marcoux in Alameda. He taught me how to make a Nessmuk knife out of O1 tool steel. The blade is hand forged. It has been normalized, oil hardened and tempered. The edge is so strong and sharp that it can cut even steel. The handle is made out of
Padauk with a brass guard. Grant taught me how to make the knife step-by-step starting with the O1 round and forging it into rough shape. The class was fun and I have learned to really appreciate how much work goes into making a good knife. Now, I just need to convince my wife that it is okay to set up a forge at home.
This is another bug fix release. Here are the problems fixed in this one:
- Match the query in DNS replies to the query in the request; from Vsevolod Stakhov.
- Fix a merge problem in which name_from_addr returned pointers to the stack; found by Jiang Hong.
- Do not remove Accept-Encoding header
You can download the source from the usual place:
- http://monkey.org/~provos/libevent-1.4.8-stable.tar.gz
You can download the source from the usual place:
http://monkey.org/~provos/libevent-1.4.7-stable.tar.gz
This release fixes a bug where headers arriving in multiple packets were not parsed. The bug fix is from Jiang Hong. Thank you.