Network World
Thursday, November 20, 2008
DNSstuff.com
Get information about your IP
IP Information
50+ On-demand DNS and network tools

Jimmy Ray Purser: Networking Geek to Geek

Cisco Subnet
NetworkWorld.com > Community > Jimmy Ray Purser: Networking Geek to Geek

Navigation

Drive By Hacking; A Story From the Field

By JimmyRay on Mon, 09/29/2008 - 4:56pm.

I was at a customer site the other day conducting a bit of forensic analysis for an upcoming security TechWiseTV show. This customer was not happy about the SQL injection attacks some of his users were getting. He conducted training with his staff and end users, yet still, folks came back with Bots, keyloggers, etc... He was more angry then Chicago Cubs fan in October. Looking at what was going on, it appeared to be an classic drive by download attack and not a SQL injection.

A drive by works kinda like this; A hacker attacks a web server with a SQL injection to act as a man in the middle between the user facing web application and the SQL database that supports it. Now a SQL injection can really do a lot of different things to get that database to present and do stuff it was not supposed to do. However, in this case, it was a classic ASPROX. It would transparently redirect the user to a hacker mirror that would launch a dark javascript to do an footprinting of the client machine. This is so common a attack that Sophos detected over 16K legitimate web pages were hit with this attack the first half of 2008. If you love math as much as me, you can see that averages out to about one page every five seconds. That is x3 what it was in all of 2007!

After the hacker site determined the type and patch level of the OS, the hacker site just launched a simple iFrame redirect to send the user to the server that hosting the vuln exploiter for that OS. Simple, automated and transparent. Now that is goooood codin'! In the end, we found that many users exploited would go to a online gaming site at lunchtime and play poker. Their machines would be patched up on patch Tuesday, be OK for a bit then all of the sudden these clients would bring back all kinds of nastyware to the LAN. Kinda like the Malware version of the Circle of Life...sing it with me!!!

Their ASA was good at stopping this data from being delivered back to the Sith Lair of Hackerdom, but in the end we needed two things: Understand the terms. Clients were not being hit by SQL injection. They were indirectly attacked. Many hours of troubleshooting were lost due to terminology. And finally, my old steady as the Mediterranean; CSA was immediately put to use on all clients. Now when we educated the end users, they understood what to look for. This customer really worked hard to solve this issue, but was not making any headway. Network security a lot of times is not like the movie Rudy. Heart does not matter as much as having a hacker mind. Gotta go it is my turn to ante up...

Jimmy ray

Permalink
Tags:

16K legitimate web pages

Useful answer?
0
By jagman (not verified) on Tue, 09/30/2008 - 10:10am.

16K legitimate web pages were hit with this attack the first half of 2008. If you love math as much as me, you can see that averages out to about one page every five seconds

Hi JimmyRay,

I can't believe I am going to post this but ... I don't think 16,000 web pages attacked in first half 2008 = 1 attack every 5 seconds

First half 2008 = 6 months = 182 days = 4368 hours
Therefore 16000 attacks in 4368 hours
= 3.66 attacks per hour

Please point out if I have made a mistake

I've enjoyed everyone of your networkworld posts - they always get me thinking.

jagman

Reply to Jagman

Useful answer?
0
By JimmyRay on Tue, 09/30/2008 - 10:49am.

Hmmmm... You know, I knew taking that Math class sponsored by Enron was a bad idea. No wonder why my checkbook doesn't balance out... Thank you for catching my bonehead error! Come to think of it..if I am not as good at math as a think I am maybe I have a second career as a Congressman in me!

Thank you again

Jimmy Ray

Reply to Jim

Useful answer?
0
By swauger on Wed, 10/29/2008 - 12:25pm.

Doubt it was a ENRON "OOPS", that was deliberate yours wasn't :)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Allowed HTML tags: <a> <em> <strong> <i> <b> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <blockquote> <br /> <br> <p>
  • Lines and paragraphs break automatically.
  • You can use BBCode tags in the text.
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.

About Jimmy Ray Purser

RSS feed

Jimmy Ray Purser is the technical co-host for Cisco's TechWise and BizWise TV. Jimmy Ray also conducts advanced training for engineers across North America and Europe and regularly speaks at industry conferences such as VON, CeBIT, N+I, and Networkers. As a field engineer, Jimmy Ray experiences networking first hand behind the console or in the rack. He is an active member in the IEEE and the Ethernet Alliance and has designed, installed and tested numerous networks for Fortune 500 companies, the United States military and other institutions worldwide. He holds 3 U.S. patents for Ethernet security algorithms with two others pending and one defensive publication, as well as numerous other vendor certifications in networking and security.

Purser holds a Bachelor of Science degree in electrical engineering from Southern Illinois University is currently pursuing a master of science degree in electrical engineering and is a licensed professional engineer in Wisconsin.

RSS feed Cisco news RSS feed

The opinions expressed in this Weblog are those of the writer and may not represent the opinions of Network World.

Advertisement: