Skip to content

SQL Injection Redux

During my invited talk on web-based malware at USENIX Security, I mentioned SQL Injection as one of the more popular means of compromising web servers. Although I did not have a chance to post my slides, here is one graph that shows how many URLs with drive-by downloads due to SQL injection were found by Google's infrastructure in July 2008; it's over 800,000 URLs. Curiously, most of these were due to the Asprox botnet.

The situation has slightly changed since then, Asprox has become quiet and most of the SQL Injection attacks seem to originate from Chinese sites. One way to determine if a site has been injected with malicious content is the Safe Browsing diagnostic page which shows infection domains and also how many sites they compromised. Here is an example of a Chinese SQL injection domain,

To help web application developers, OWASP has published detailed guidelines on preventing SQL injection attacks. More importantly if your web site was SQL injected, its database needs to be cleaned to remove the injected content.
Categories: Malware, SpyBye
Defined tags for this entry: , , ,

LEET '09 Call for Papers

The CfP for the 2nd USENIX Workshop on Large-Scale Exploits and Emergent Threats (LEET '09): Botnets, Spyware, Worms, and More is up at:

LEET '09 will be held on April 21, 2009 in Boston, MA immediately before the 6th USENIX Symposium on Networked Systems Design and Implementation (NSDI '09), which will take place April 22–24, 2009.

Important Dates
  • Submissions due: January 16, 2009, 11:59 p.m. EST
  • Notification of acceptance: March 2, 2009
  • Electronic files due: March 30, 2009

This will be the second edition of LEET, which had evolved from the combination of two other successful workshops, the ACM Workshop on Recurring Malcode (WORM) and the USENIX Workshop on Hot Topics in Understanding Botnets (HotBots). These two workshops have each dealt with aspects of this problem. However, while papers relating to both worms and botnets are explicitly solicited, LEET has a broader charter than its predecessors. We encourage submissions of papers that focus on any aspect of the underlying mechanisms used to compromise and control hosts, the large-scale "applications" being perpetrated upon this framework, or the social and economic networks driving these threats.
Categories: News, Security, Systrace
Defined tags for this entry: , , ,

Sargons Schatz on Amazon

Earlier this year, I published the fantasy novel my father wrote 15 years. This was an interesting experience, as I had to do editing, layout and printing all by myself. To make it a proper book, I even registered an ISBN number and was surprised to find out that this was not sufficient to make it appear on any of the online book stores. However, Amazon has a program that allows one to enter any item into their catalog for approximately $50/year. So, I joined Amazon Advantage and anyone can buy Sargons Schatz at Amazon now. As this is a German book published in an English speaking country, I don't expect many prospective buyers - we will see.
Categories: Hacking, News
Defined tags for this entry: ,

Hand forged Nessmuk knife

I just finished a three day bladesmithing class with Grant Marcoux in Alameda. He taught me how to make a Nessmuk knife out of O1 tool steel. The blade is hand forged. It has been normalized, oil hardened and tempered. The edge is so strong and sharp that it can cut even steel. The handle is made out of Padauk with a brass guard. Grant taught me how to make the knife step-by-step starting with the O1 round and forging it into rough shape. The class was fun and I have learned to really appreciate how much work goes into making a good knife. Now, I just need to convince my wife that it is okay to set up a forge at home.
Categories: Hacking
Defined tags for this entry: , ,

Libevent 1.4.8-stable released

This is another bug fix release. Here are the problems fixed in this one:

  • Match the query in DNS replies to the query in the request; from Vsevolod Stakhov.
  • Fix a merge problem in which name_from_addr returned pointers to the stack; found by Jiang Hong.
  • Do not remove Accept-Encoding header

You can download the source from the usual place:

Categories: Libevent, News
Defined tags for this entry: ,

Libevent 1.4.7-stable released

You can download the source from the usual place:

This release fixes a bug where headers arriving in multiple packets were not parsed. The bug fix is from Jiang Hong. Thank you.
Categories: Libevent, News
Defined tags for this entry: ,