Playing with SQL Injection and Firewall Bypassing

Playing with SQL Injection and Firewall Bypassing

Disclaimer: This article is only for educational purposes, security researchers, and pentester. I would like to clarify that I am completely against cyber-crime.

ABSTRACT

Most cyber-attacks in the world that involve websites occurs due to lack of updates and configuration faults resulting in explorations of success.

One of the main threats is SQL Injection that left many worried about their systems, programmers, and SQL databases.

The biggest problem is not the DBMS itself but the lack of definition and verification of the input fields in web applications.

CONTEXT

Many web developers do not know how SQL queries can be handled and assume that an SQL query is a trusted command. This allows for SQL queries to circumvent access controls, thereby bypassing standard authentication and authorization checks. And sometimes SQL queries even may allow access to the command shell on the server operating system level.

Direct injection of SQL commands is a technique where an attacker creates or alters existing SQL commands to expose hidden data or to override valuable data, and even to execute dangerous system level commands on the server.

INTRODUCTION

Structured Query Language is the standard declarative language for relational databases. This allows for its simplicity and ease of use.

SQL was originally developed in the early 70s at IBM labs.

SQLMAP is a tool used for this type of vulnerability.

It is Open source, and often is used for Penetration Testing that enable intrusions on fragile DBMS written in Python. It provides functions to detect and exploit vulnerabilities of SQLI. Let's use the example sqlmap.py, widely used in operating systems and databases.

STEP BY STEP

Readers I will try to explain this in the simplest possible way.

You must have a vulnerable target, to find out if the target is vulnerable just input ' at the end of the URL being tested and press "Enter" if some error is returned the database is vulnerable.

You can use google to find it with some dork. Example: inurl: news.php id = 1?

There is a bank of google dorks data and several other possibilities that can be used to filter your search.

cd /pentest/database/sqlmap

We will now begin the game, to view the menu for sqlmap.py use the command ./sqlmap.py -h

Let's run sqlmap.py, the parameter [--dbs], to search the all databases in DBMS.

Or use the parameter --current-db to show the databases that are being used.

The parameter -D is for the target of database and --tables is tables list.

We will verify the existence of interesting information in the table (admin_users), time to list the columns. The parameter is –columns.

It is important to always indicate the target database (-D) data before listing the tables because if you do not do this (without the -D) it will list all tables in all databases.

-T = target table

-C = target columns, can be more than one column to be chosen. Example: username, password.

--dump = obtain, extract data.

Important to remember the parameter --proxy: enables use of proxy.  

Example:  /sqlmap.py --url "http://testphp.vulnweb.com/listproducts.php?cat=1" --dbs --proxy=http://183.223.10.108:80

Readers, I think that's the basics for beginners. sqlmap.py also has many interesting functions, I suggest researching about --prefix=PREFIX, --postfix=POSTFIX and takeover options.

More information about the program and videos of them in action on the official site.

--dump is to extract the data from the site but is not given any, this must be within the selected column, and you have to choosen what to extract from the column, where I extracted the logins and passwords are saved within the column.

Generally, the field of "passwords" DBMS are encrypted.

We then need to decrypt the passwords in order to access the target system.

We can find a way to log into the system. But wait, the passwords are encrypted in MD5, hahahaha put your hash on:http://www.md5decrypt.org and may be decrypted or otherwise

https://crackstation.net/ http://www.onlinehashcrack.com/

BEYOND THE BASICS

Readers, lucky for us, there are some awesome tamper scripts for sqlmap, which can be found in the latest development version from the Subversion repository.

svn checkout https://svn.sqlmap.org/sqlmap/trunk/sqlmap sqlmap-dev

In fact the function of the tamper scripts is to modify the request in a way that will escape detection rules WAF (Web Application Firewall). In some cases it may be necessary to combine some tamper scripts together in order to fool the WAF. For a complete list of scripts for tampering, you may find https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/

Many enterprises often overlook the current vulnerabilities and rely only on the firewall for protection. Unfortunately, most, if not all firewalls can be bypassed. So gentlemen, I want to demonstrate how to use some of the new features of sqlmap to bypass WAF’s/IDS.

Well, I'll demonstrate some important scripts that are charencode.py and charcodeencode.py to work with MySQL.

Hands-on: To begin using tamper scripts, you use the --tamper followed by the script name. In the example, we use the command:

Summary of charencode.py

Quite simply, this script is useful for ignoring very weak web application firewalls (WAF) …

Another interesting function url-decode the request before processing it through their set of rules (:

The web server will anyway go to url-decoded back version, concluding, it should work against any DBMS.

Example to use:

We will demonstrate the use of charunicodeencode.py for additional security. The vast number of organizations have deployed WAF. Guys, this is a tricky part to exploit such an environment. Well, standard SQL injection attack vectors will not work neither will the scripts.

That is the reason we use tamper scripts, this facility known as “tamper scripts" in aid of a quiet way to bypass web application firewalls.

Guys, I have demonstrated just a few of the many tamper scripts. We highly recommend testing them out as each one can be used in different situations.

Notes: That's not a tool for "script kiddies" it is of utmost importance to make use of such a powerful tool responsibly and maturely.

Caution if used in the wrong way, sqlmap generates many queries and can affect the performance of the database target, moreover strange entries and changes to the database schema are possible if the tool is not controlled and used extensively.

PARTLY ANONYMOUS

I will demonstrate to you how to use sqlmap with The Onion Router for the protection of IP, DNS, etc... In your Linux, in the terminal type:

$ sudo apt-get install tor tor-geoip

After enter the sqlmap folder and type:

./sqlmap.py -u "http://www.targetvuln.com/index.php?cata_id=1" -b -a –tor --check-tor--user-agent="Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

The argument --tor invokes the Tor to be used and the --check-tor checks if Tor is being used properly, if not, you will receive an error message in red at the terminal. The User Agent is the googlebot, all your requests on the site will look like the Google bot doing a little visit.

TOR at SQLMap, we can set your TOR proxy for hiding the source from where the traffic or request is generated.

–tor-port, –tor-type :  the parameter can help you out to set the TOR proxy manually.

–check-tor : the parameter will check if the tor setup is appropriate and functional.

CONCLUSION:

It is known that many targets have been explored through SQL Injection a few years ago when this threat was discovered, the injection form was "the nail". The pentester had to enter the codes manually, taking longer to complete the attack.

Then came the development of programs that automated attack. Nowadays perhaps the best known of these programs is sqlmap.py. SQLMAP is a program of open source testing framework written in Python. It has full support for database systems: MySQL, Oracle, PostgreSQL, Microsoft SQL Server, Microsoft Access, IBM DB2, SQLite, Firebird, Sybase, SAP MaxDB and also supports 6 types of SQL Injection techniques.

SOLUTION:

1.    Correct the SQL server regularly.

2.    Limit the use of dynamic queries.

3.    Escape input data from users.

4.    Stores the credentials of the database in a separate file.

5.    Use the principle of least privilege.

6.    Turn off the magic quotes.

7.    Disable shell access.

8.    Disable any feature of the bank that you do not need

9.    Test your code

10. Search in google advanced techniques to correct this vulnerability.

Sumber

Read More...

DDoS and SQL injection are hot topics on hacking forums

Forums are the cornerstone of hacking, providing a venue for hackers to sell and exchange information

Distributed denial of service and SQL injection are the main types of attack discussed on hacking forums, according to new research from security vendor Imperva.

Underground discussion forums are an important piece in the cybercriminal ecosystem. They offer a place for hackers to sell and exchange information, software tools, exploits, services and other illegal goods.

[ Learn how to greatly reduce the threat of malicious attacks with InfoWorld's Insider Threat Deep Dive PDF special report. ]

"Forums are the cornerstone of hacking -- they are used by hackers for training, communications, collaboration, recruitment, commerce and even social interaction," Imperva stressed.

The company's researchers have recently analyzed discussions going back several years from HackForums.net, one of the largest hacker forums with over 220,000 registered members. Their effort was aimed at determining the most common attack targets, what business trends can be observed, and what directions hackers are leaning toward.

As far as attack popularity goes, the analysts determined that DDoS was mentioned in 22 percent of discussions. SQL injection, a technique commonly used to compromise websites, is the second most frequently discussed attack method, being at the center of 19 percent of conversations.

Unsurprisingly, with a 16 percent discussion occurrence rate, spam is the third most favorite attack type according to Imperva's content analysis. That's probably because it is one of the primary methods of generating illegal income.

Zero-day exploits make up 10 percent of attack discussions on the forum, however, Microsoft's latest Security Intelligence Report (SIR) claims that this type of exploit is used in less than 1 percent of real-world compromises.

Forums are also an important learning tool for new hackers -- Imperva determined that up to a quarter of discussions fall into the beginner hacking category. Another 25 percent of conversations involved hacking tools and programs, while a fifth mentioned Web and forum hacking.

One trend observed by Imperva's researchers was that mobile hacking is increasingly popular. This is also reflected in real-world attack statistics and reports from other vendors. iPhone hacking in particular accounted for half of conversations on this topic.

Overall, discussions about hacking have increased more than 150 percent over the last four years. "We think the growth in hacker forum activity helps explain that, along with automated hacking, there are simply more hackers causing more breaches," Imperva concluded. Read More...

Horrible blog going around about you? Or a Twitter phishing attack?

You may not realise it, but your Twitter account is worth money.

Cybercriminals are keen to compromise your Twitter account, so they can spam out messages (either as public tweets, or less obvious direct messages to your online friends) in the hope that some recipients will click on the links.

What lies at the end of the links can vary. It might be a webpage offering you a new wonder diet, or a pornographic website, or a link to a download designed to infect your computer.

But first they need to commandeer your Twitter account, and the simplest way for them to do this is just to ask you for your Twitter username and password.
Here's an example of the latest attack that has been seen on Twitter. The message arrives in the form of a direct message (DM), and has a pretty enticing reason for you to click on the link:

Read this yet? horrible blog going around about you [LINK]

In the example above, the DM has come from an account that has already fallen victim to the scammers. Ironically in this example, shared with us by Naked Security reader @basexperience, the owner of the account which has been taken over by cybercriminals is a division of the UK's Sussex Police Force. Whoops.
So, what happens if you click on the link?
Well, you'll be taken - via some redirects - to a website which looks like this.



At this point, you think that your Twitter session has timed out - and you may well be tempted to enter your userid and password.

Stop. Right. There.

Let's take a closer look.



Did you notice? This site isn't the real twitter.com - it's a lookalike phishing site called "twittelr", designed to steal your login credentials so cybercriminals can use your account to spew out spams, scams and other nasty links. They could even read your private DMs if they wanted.

If your Twitter account has been sending out messages that you didn't authorise, change your password immediately (make sure it's unique, and you're not using it anywhere else on the web), and visit Settings/Connections to double-check that you have only allowed applications you are comfortable with to integrate with your account.

Read More...

Email fraud came close to wrecking my life – and the charity I run

On the last day of our summer holiday in my Dorset cottage, my son shouted down the stairs "Mum, you've been hacked".

That sunny day, 25 August, saw the beginning of the most gruelling, frustrating and miserable period of my recent life. It lasted nearly four weeks, when I felt totally isolated from all my contacts across the world, and work virtually stopped as I had no access to my Google Gmail account.

The phones, landlines and mobile, never stopped ringing as an endless list of people – friends, colleagues, civil servants (surely they should have recognised the money-seeking message as fraudulent?), people I had not spoken to for years – called to ask if I was in Spain, whether I had been robbed, or if it was a scam. Moreover, various elderly friends and relations (I am in my 80th year so it is not surprising that many on my list are as old or older) unwittingly fell for the trick, followed the instructions and sent off the requested money.

I lost all the contacts in my computer address book. It meant I almost had to close the charity I direct, Widows for Peace through Democracy, because I had missed so many deadlines and our work was badly compromised.

I am simply one of the many thousands of victims of the "mugged in Spain" scam. For Spain, substitute "Athens", "Cyprus", "Kuala Lumpur" or whatever destination the fraudsters care to use. Most of us, surely, can immediately recognise the message that urgently pleads for a loan of around £2,000 because I have been "attacked on my way back to my hotel …" as fraudulent.

But many people did not. As far as I know some £5,000 has been sent, as if to me, as a "loan to be repaid with interest". And during the month I was unable to use my Gmail account, I learned of at least six other cases where people had received similar emails as if from people they knew, and sent off large sums.

Yes, it is easy for us to express amazement that anyone could send off money without first doing a little bit of detective work – such as telephoning one's children to ask whether we really are abroad, or taking other advice. But the fact is, that in a contact list of maybe over 3,000 names, if just a handful of people fall for the scam, the fraudsters have won.

Google has no human helpline you can contact, unlike the paid-for providers, such as AOL and Virgin, and I feel its website is sadistically ambiguous in the instructions it gives on what to do if you cannot access your emails. But, eventually, we got back by changing the password to one very esoteric and surely uncrackable, and were able to message everyone on the contact list about what had happened.

For a whole week I worked hard to re-establish the work of our charity – the only NGO in the world that represents the needs of widows and wives of the missing in mainly conflict-afflicted countries. I was desperately concerned that I had let down my partner associations in Iraq, India, Afghanistan, Nepal, Sri Lanka, Congo, Nigeria, Southern Sudan (to name just a few on our network) since, due to the hack, I failed to meet UN deadlines to report specific human rights violations. I missed putting in project proposals and grant applications to various UN and other fund sources, and let down so many people vainly trying to contact me.

WPD operates from my home; has no core funding; no paid staff and all our work is done on the internet, using our Gmail address which is printed on all our publicity material and our website.

However, once reinstated in Gmail, I pulled myself together, buoyed up by the marvellously sympathetic Eddie Mair of Radio 4's PM programme, who gave me a slot to describe what these scams can do to one's work, and to one's life. And then … Boom, Crash, it happened again, this time back in my west London house.

On 29 September I got a call from Fiona Hodgson, on my advisory committee, who was preparing to chair the forthcoming Conservative Conference. "I am so sorry, Margaret. I know what you've been through in the last month but you have been hacked again."

I have to admit I nearly collapsed, since the horrors of the past month were so vivid and I knew I could not face a repetition of that saga. I would have to close down WPD and cease all work on the issue of widows' rights that I feel so passionate about and which is so neglected by the UN, the international community, and our UK International Development Department.

In Dorset, I had called the local police, but they admitted there were no resources to deal with these frauds since the priorities for a much-strapped police force are "burglary, violence and Asbo". When it happened again in London, we called the Met and they were rather more on the ball.

Their advice was to close down my Gmail account completely; transfer all the contact addresses to a private account I have with AOL, and to take a hard copy of the contacts so I would not be caught out should anything happen in the future. They also explained that my new password was easily decipherable once the fraudsters had my email address, for they have some device that browses every combination of letters and numbers until they get the magic mix. They advised: "Don't use any of the free internet providers like Google, Hotmail or Yahoo. None of these have help lines. Only use providers you pay for."

Although I have put the Met in touch with Dorset Police, and sent them all the evidence I have collected from other people's experiences of this hack, I fear nothing can be done. The police agree. They say the public must become more vigilant and aware of these frauds. This scam is on a vast global scale but neither Western Union, which is designated as the channel for these money transactions, nor Google itself, is prepared to bear any responsibility or help track down these criminals. Besides, the UK police are powerless to act since the fraudsters mostly operate from overseas.

There is much discussion in the media on cyber-crime, but it is mostly directed at gangs that hack into bank accounts, credit cards and big company or government computer systems. No one seems to pay any attention to the hacking of individuals' identity through their email accounts.

What is to be done? I feel wretched about the kind people who truly believed I was in dire need and sent money to these criminals; but I can hardly afford to repay them as I, too, am a pensioner trying to run my NGO with practically no financial support.

As hacking individual accounts is one of the most lucrative of all cyber-crimes, I hope that greater resources will be invested to raise awareness of this type of fraud among the public, especially the elderly. Given that this crime has no borders, information sharing between law enforcement officials internationally is vital. And I very much hope that the government will accommodate this type of fraud within its cyber-security strategy, to be presented shortly to parliament. Read More...

Cybercriminals Remember Steve Jobs Through Facebook Scam

In an inevitable turn of events, cybercriminals were found leveraging the death of Apple co-founder Steve Jobs through Facebook scams within hours after it was announced.

The particular scam we found involves a website which claims that Apple has decided to give away 1000 iPads, in memory of Steve Jobs. The said site displays the following:

The site asks users to share the page in order to be eligible. After the user follows the instructions, he is directed to an ad site, while in the background, the link is posted on their Facebook wall.


And as dubious as the offer sounds, it seems like some users are falling for the scheme, as we are seeing an increasing number of posts bearing the website’s URL.

The catch behind this scam is that there is no such offer from Apple, and that only ones who will get anything from this are the scammers, who will earn money from the displayed ads every time a user is tricked into following the instructions. Also, as more users share the link, the number of potential victims also increases, as well as the profit for the scammers behind it.

The death of known persons have become staple topics of social engineering schemes for the past years. Just a couple of months ago we saw scams that took advantage of the death of singer Amy Winehouse, as well as rumors about the death of Lady Gaga.

Users are advised not to click on posts like these if they see them on their Facebook newsfeeds. We also suggest users to educate those who have been tricked to stop the spreading of such scams.

For more information on threats leveraging social networking sites, check our infographic, The Geography of Social Media Threats.

Access to the mentioned website is now blocked through the Web Reputation Service. Users of the latest Trend Micro™ Titanium™ Maximum Security are also protected from this through the Social Networking Security feature.

Read More...

Fed Seeks Industry Standard for Botnet Mitigation

The Departments of Commerce and Homeland Security met with various other government agencies and private-sector leaders yesterday to discuss the need for a code of conduct for detecting, mitigating, and otherwise dealing with botnets.

The invitational meeting was hosted by the Center for Strategic and International Studies (CSIS) and among the topics covered by the group of IT policy experts was the problematic and at time controversial issue of notifying individuals whose computers have been infected with malware and are part of a botnet. There was also a panel discussion with members from the U.S. Internet Service Providers Association, DHS, National Institute of Standards and Technology (NIST), and StopBadware. The panel discussed how ISPs and other organizations can play their part in the fight against botnets by developing ways to better detect their activities and notify infected consumers.

According to a NIST press release, there are an estimated 4 million new botnets infections each month. These infected machines can be used for any number of reasons. Individuals can have their personal information and communications monitored, their computing power and internet access exploited, or more commonly, their computer can be used to disseminate spam, store or transfer illegal content and launch DDoS attacks.

“Improving cybersecurity requires a combination of efforts in which everyone has a role to play,” said White House Cybersecurity Coordinator Howard Schmidt in his keynote address. “By working together to achieve better security, we can make the improvements needed that will ensure the security and resilience we need to prosper as a nation.”

As examined in a recent Securelist piece and asked in our latest Threatpost poll, the question of how to deal with the network of infected computers left in the wake of a botnet takedown is an increasingly relevant one, as corporate and law enforcement partnerships experience more success against botnets. Read More...

Facebook Malvertisement Leads to Exploits

There are already many known ways by which cybercriminals target Facebook users. In the infographic we recently released, “The Geography of Social Media Threats,” we illustrated the different social networking features cybercriminals abused and the threats that these usually lead to.

In the course of conducting research, we found one specific attack that targeted Facebook users through a different route—malvertisements.

We encountered an infection chain wherein the user is led from a page within Facebook to a couple of ad sites then, finally, to a page that hosts exploits. When we traced the connection between the ad sites and Facebook, we found that the ad providers were affiliated with a certain Facebook application. We checked out the said application and found that it is indeed ad supported. We were able to come up with the likely infection chain based on this finding:

Upon accessing the application, the malvertisement gets loaded, triggering a series of redirections. The redirections finally lead to a malicious site, which then loads several exploits, particularly those related to Java and ActiveX:

• CVE-2006-0003
• CVE-2010-4452
• CVE-2010-1423

The exploits were loaded to download more malicious files although we weren’t able to trace these anymore since the URLs they accessed were already inaccessible. Nonetheless, Trend Micro already provides protection for this kind of threat by not only blocking access to malicious URLs but also by protecting against the execution of the said exploits.

Malvertisements are considered grave threats, especially since much like website compromises, attacks related to these usually involve trusted sites that users already typically visit without risk of system infection. In 2009, visitors of the NYTimes were exposed to threats when malvertisements were found on its pages, leading users to FAKEAV variants. Earlier this year, Trend Micro researchers also found malicious ads being displayed in a Web-based email service, directing users to URLs serving PDF exploits.

For this particular incident, users are advised to be careful when it comes to installing Facebook applications and, more importantly, to utilize a security product with a strong Web reputation technology that can help determine bad links from good ones within a social networking environment. Read More...

Mobile Malware Found Disguised as Opera Mini

The recent rise of mobile computing has further signaled the need for users to have a good reliable mobile browsers, such as Opera Mini, installed into their smartphones or any mobile device. We believe that is for this reason that cybercriminals are currently using Opera Mobile as a disguise for mobile malware.

We encountered a website that seems to have been designed to be viewed on a mobile device. The site, which is in Russian, appears to look like the Opera site. It immediately informs visitors that they need to upgrade their version of Opera Mini. Below are screenshots of OperaMini.jar when installed in a mobile phone.
Below is a screenshot of the said site:

All of the links in website lead to the download of the malicious file OperaMini.jar, which is now detected as J2ME_FAKEBROWS.A.


When executed into the device, it checks if the mobile phone uses certain service centers and then proceeds to sending text messages to premium numbers. It affects the mobile devices that support MIDlets — a Java program for embedded devices, specifically the Java 2 Micro Edition (J2ME).

We’ve blocked access to the malicious site, and we are currently monitoring for any more malicious activity that J2ME_FAKEBROWS.A may exhibit.

Users may refer to our Threat Encyclopedia page on mobile malware for tips on how to keep their mobile device protected.

Also, users should check the Opera’s official website, http://opera.com or http://operamini.com if they want to install the said browser into their device. Read More...

Don't fight cybercrime on your own - do it with Synergy!

Project Synergy is the name of an ongoing annual series of conferences organised by the Queensland Police Service.

Sophos has been sponsoring, attending and speaking at these events for several years; we've also written about them numerous times on Naked Security.

We've written about Romanian card-skimming gangs, recounted the pain suffered by the victims of hi-tech crime, presented talks on the risk posed by apparently-innocent file formats, and warned about the growing tendency of cybercriminals to target those who can least afford to get scammed.

The Project Synergy events aren't just for cops or law enforcement agents. Quite the opposite - the events are intended to bring together all of us who have an interest in helping to protect our economy from cybercrime.

If you're an anti-virus researcher, a computer security consultant, a penetration tester, a fraud investigator or an auditor; if you're from the financial sector, an ISP, a community group, a social media company, an online store (or, of course, from any branch of law enforcement), these events could be just the thing for you.
Both the size and scale of internet-enabled crime are vast, from the peddlers of fake anti-virus software who can suck in $72,000,000 by conducting nearly one million fraudulent transactions for just $75 each, to the financial scammers who spend months convincing targeted individuals to invest their entire retirement income in fraudulent schemes.

So, if you've got any interest in disrupting and preventing cybercriminality then you'll know how big a task it sometimes seems.

You probably keep asking yourself, "How can I possibly make a difference on my own?"

At the Project Synergy events, you get to meet a whole bunch of people - many of whom will become good contacts, probably even good friends - who will remind you that you aren't on your own.

You become part of a virtual global team of people who share your goals. People who can help you, and whom you can help.

I'll be heading up to the Gold Coast in Queensland, Australia, on Monday next week (03 October 2011) for the final event in this year's Project Synergy series: the Identity and Hi-Tech Crime Symposium 2011.

I'm going to be giving a live demonstration of how Search Engine Poisoning works, and how to combat it.
By the way, there are still seats left at the event, rooms at the hotel where it's being held (I just checked!), and a special delegate rate at the hotel.

So, if you're in this part of the world, why not give some thought to a last-minute registration?

It's at the Royal Pines Resort on Queensland's Gold Coast, and runs from Monday evening (03 Oct 2011) to Thursday early afternoon (06 Oct 2011). The fee is AU$1800, which includes a welcome party, a gala dinner, and luncheon plus morning/afternoon tea each day.

You also get an all-important Fiscal the Fraud Fighting Ferret laptop bag :-)
Hope to see you there!

Read More...

Symantec sees surge in morphing malware and JavaScript abuse

A new social engineering technique fools users into thinking they've received a legitimate file from an office printer

Proving that most malicious hackers are more than happy to employ time-tested tactics instead of developing sophisticated new techniques and tools, Symantec has reported a huge spike in generic polymorphic malware (malware that changes shape to bypass detection) spread via good old fashioned socially engineered email messages.

That's not to say that the bad guys aren't innovating at all: "Symantec's Intelligence Report: September 2011" (PDF) noted a new social engineering twist to get users to download dangerous attachments: convincingly masking malicious emails as legitimate messages sent from office printers. The security company also has witnessed more spammers and malware authors using JavaScript to hide their activities.

Generic polymorphic malware variants accounted for 72 percent of all email-borne malware in September, compared with 18.5 percent in August and 23.7 percent in July. "This unprecedented high-water mark underlines the nature by which cyber criminals have escalated their assault on businesses in 2011, fully exploiting the weaknesses of more traditional security countermeasures," wrote Paul Wood, senior intelligence analyst at Symantec.

The challenge for cyber criminals is to dupe victims into downloading and opening dangerous attachments. One new approach entails fooling users into thinking they've received an attachment sent from an office printer that has a scan-to-email capability; this feature enables users to send scanned files directly from a printer to a specified email addresses.

To pull off this dupe, hackers send users malicious emails with Subject lines stating "Scan from" followed by the convincing-looking office-printer information. The message itself contains additional fake details about the so-called scanned file, including a sender's name, the number of pages, the type of file, a device number, and possibly the printer's location in an office.



This is all intended to lull targets into a sense of security such that they'll download the attached file, which turns out to be a zip file with a malicious executable.

"To be clear, office printers and scanners will not send malware-laden files, and many are unlikely to be able to send scanned documents as zip file attachments. No printer or scanner hardware was involved in the distribution process," wrote Bhaskar Krishnappa, malware analyst at Symantec.

Additionally, Symantec reported that spammers and malware authors are increasingly using JavaScript to do their dirty deeds. And they're not just using the language to covertly redirect users to malicious sites; they're using JavaScript to obfuscate entire Web pages. Doing so enables spammers and malware authors to set up their obfuscated pages on free hosting sites without site operators realizing it.

Symantec's September Intelligence Report also covers a vulnerability in the WordPress platform, which spammers are exploiting to compromise Web servers and hide files deep with the WordPress directory structure. The files are basic HTML pages, according to Symantec, that redirects users to the Canadian Health & Care Mall spam website. WordPress-hosted blogs aren't affected by these vulnerabilities, according to the report; only older versions of software downloaded from WordPress.org.

Other findings in Symantec's report include:

• Spam rates dipped to 74.8 percent in September, a 1.1 percent drop since August
• One in 447.9 emails were actually phishing attempts, marking a 0.26 percent drop month over month
• One in 188.7 emails in September contained malware, an increase of 0.04 percent
• The number of malicious websites blocked daily rose 1 percent since last month, up to 3,474
• 44.6 percent of all malicious domains blocked in September were new, up 10 percent since August
• 14.5 percent of all Web-based malware blocked in September was new, down 2.9 percent since last month

 

Read More...

Alleged LulzSec Sony hacker arrested

The 23-year-old Phoenix student is accused of using SQL injection to break into Sony Pictures' database

The U.S. Federal Bureau of Investigation has arrested a Phoenix student, claiming that he is one of the LulzSec hackers responsible for a database attack on Sony Pictures computers that claimed more than 1 million victims.

Cody Kretsinger, 23, was arrested Thursday morning on hacking and conspiracy charges. Prosecutors say he was "Recursion," an LulzSec hacker who used a database attack technique called SQL injection to break into Sony Pictures systems. Kretsinger allegedly provided data that was used in a mammoth June 2, 2011, data dump by LulzSec that included coupon codes along with email addresses and passwords belonging to Sony customers.

[ Get your websites up to speed with HTML5 today using the techniques in InfoWorld's HTML5 Deep Dive PDF how-to report. | Learn how to secure your Web browsers in InfoWorld's "Web Browser Security Deep Dive" PDF guide. ]

At the time that LulzSec posted its data, Sony was already recovering from a devastating break-in to its PlayStation Network. That intrusion knocked the service offline for more than two months and cost the company an estimated ¥14 billion ($183 million) to clean up.

"The extent of damage caused by the compromise at Sony Pictures is under investigation," the FBI said Thursday in a statement.

Sony's heavy-handed response to the release of "jailbreak" code for its PS3 console, which could be used to run unauthorized software on the device, had made the company the enemy of hackers everywhere, and the LulzSec hackers were not the only ones to go after the company's computer systems.

LulzSec had a brief run of Internet mayhem earlier this year, breaking into websites belonging to corporations and law enforcement agencies and then posting the data publicly with gleeful disregard to any consequences.

Since then, the group seems to have been largely rounded up by law enforcement in a series of arrests in the U.S. and U.K.

Kretsinger allegedly covered his tracks by using the Hidemyass.com proxy service and wiping his computer hard drive after the attack. He faces 15 years in prison if convicted.

Separately, the FBI also announced the arrest of two alleged members of the Peoples Liberation Front, a group that claimed credit for a 30-minute long 2010 distributed denial of service attack against Santa Cruz County, California. Like LulzSec, Peoples Liberation has affiliated itself with the Anonymous hacking movement.

Christopher Doyon and Joshua Covelli are both facing hacking charges in the case. Covelli had previously been charged in connection with an Anonymous-sponsored December 2010 attack on Paypal.com.

nb : infoworld Read More...