It never stays quiet on the internet: The Lizamoon attack, the update problem?
It never stays quiet on the internet and new attacks or malware are seen every day. The last week however we saw an interesting mass SQL injection attack, referred to as Lizamoon, which was spreading and has infected several millions of URLs last week (March 29 until April 4). Even after a week, thousands of comprised websites don’t seem to be cleaned up, yet.
What are we talking about?
The mentioned attack uses SQL injection techniques to insert rogue code into the databases of websites. SQL injection is a code injection technique that misuses available functionality that is not filtered away properly. In other words: The vulnerability is present when user input is not correctly filtered for escape characters embedded in SQL statements or if the input is not strongly typed and by this unexpectedly executed (cf.: Wikipedia).
The following code was injected into a large number of websites:
<script src=hxxp://lizamoon . com / ur . php >
CeBIT 2011 and G Data
CeBIT starts on March 1st in Hannover, showcasing the latest developments in the IT industry. G Data is using the largest IT trade show in the world this year to launch the next generation of security for businesses and home users. G Data presents this year’s trade fair highlight: Generation 11 of its network solutions, equipped with a powerful backup module in all Enterprise versions. Also being revealed is G Data MobileSecurity, a security solution for Android phones. Mobile phone owners will thus be able to effectively secure their mobiles against malware. Another first that will be announced in Hannover is G Data CloudSecurity. This free browser plug-in blocks infected websites,making surfing the internet more secure. Besides presenting these innovations, the provider from Bochum, Germany is also offering a comprehensive programme in the G Data Arena, Hall 11, Booth D35.
I personally will take part in the Global Conferences during a panel session about the importance of security which is detailed below. It’s an interesting line up of experienced speakers, CEO’s or VP’s which will be sitting next to me. I will be available for interviews and chats the whole week (minus Saturday) at our booth. By the way I like my new title: Global Security Officer. ;-)
Upcoming meetings and events like AMTSO, RSA, CeBIT, etc …
It seems that my busy months are coming up with a lot of travelling. Very soon you can see me speaking at some national and international events.
Close to my home you can find me at ‘This is IT’ in the Netherlands www.apeldoorn-it.nl/congres (3 February 2011). The week afterwards I will teach the teachers at the ICT day for teachers in Belgium http://www.ictdag.be/ (7 February 2011). After this I will be travelling to San Francisco for AMTSO and the RSA conference (14-18 February 2011). The AMTSO members’ meeting will be held at San Mateo, California, on the 10th-11th February, just before RSA. I’m pretty sure that everybody will find some interesting material coming out of the organization in the next few weeks. There’s more information on this year’s AMTSO meetings on the AMTSO meetings page at http://www.amtso.org/meetings.html, including a preliminary agenda.
And don’t forget CeBIT (1-5 March 2011). This year G Data will take an active part in the very famous CeBIT Global Conferences in Hannover. Dr. Dirk Hochstrate will attend the IT-Security panel on Wednesday, 2 March. On the Global Conferences only the top spokesmen of the IT branch are invited to discuss new trends and their visions for the future. At the same moment you can go to our English press conference where you will see me in front of the room.
I will give you more info about our upcoming CeBIT events soon.
New interesting moves from AMTSO during the last meeting in Munich, Germany
This is a copy from the original posting at the G Data Security Blog.
G Data is one of the members of AMTSO (www.amtso.org), an organisation currently comprised of 37 members, representing testers, vendors, academics and publishers involved in anti-malware research. Last week I was at the last AMTSO members’ meeting which was held in Munich. As always, a lot of work was done during the workshops.
First of all, some guidelines about testing for false positives (FP) were adopted. The False Positive issue is a common problem and the security industry dedicates a lot of resources to ensuring the highest quality and to reduce False Positives heavily. We welcome the new joint guidelines related to testing of false positives and we are hoping that in the light provided by these new guidelines, the FPs from all security products will be much more fairly assessed. The new documents can be found at www.amtso.org/documents.html.
A critical look at the major takedown of BredoLab by the Dutch High Tech Crime Unit: More International Cybercrime laws needed!
Yesterday, 25 October 2010, The Dutch High Tech Crime Unit of the KLPD announced a major takedown of a large botnet, known as Bredolab.
You can find more and a copy of this blog entry at the original G Data posting page.
Bredolab is a big family of polymorphic Trojans and has been thought to install parts of the Cutwail botnet in the past. The botnet has spread through drive-by-downloads and email. Bredolab is known to send out large email spam campaigns and the installation of fake security products. The Dutch company LeaseWeb was hosting this botnet, without their knowledge. After the company was informed about this fact, they gave full cooperation to the authorities to take the botnet down.
Even though this was the largest operation against cyber crime in the Netherlands so far, it was not unique. It has been done in serveral other countries before, like the US, Spain and even in the Netherlands. The striking point is how things will be handled from here. The High Tech Crime unit will use the existing botnet infrastructure to send a program to all infected machines, showing them a warning : “Users of computers with viruses from this network will receive a notice at the time of next login with information on the degree of infection.” This screen is shown in a video. Click the following direct link to see it: http://teamhightechcrime.nationale-recherche.nl/nl_infected.php
New website and the start of my world tour
You possibly already found out by now that I refurbished my personal website otherwise you weren’t reading this.
I really hope you like the new look of this site which took us several weeks to come up with. It was really necessary after a long period of silence I think.
With this new look I’m also starting my world tour where I sometimes will attend some conferences and sometimes will speak at these events.
Just finished with our G Data’s press tour in the Benelux I’m ready for the next events:
- BruCon Conference: Brussels, Belgium (attending)
- Virus Bulletin Conference: Vancouver, Canada (speaking together with Righard Zwienenberg(Norman) about internal attacks and problems in the cloud)
- Infosecurity NL: Utrecht, The Netherlands (attending)
- AAVAR Conference: Bali (speaking together with David Harley(Eset) and Lysa Myers(Westcoast Labs) about product evaluation and malware simulation)
- G Data Japan Press Tour: Tokyo (speaking)
And this is just the beginning … more trips are planned even during the writing of this piece.
One trip could be very interesting but it’s still undecided if I will participate …. but stay tuned as I could meet some VIPS of the world. ;-)
Could the DLL-hijacking problem be underestimated?
This is a small copy of the official G Data Blog
Find the full and official version at www.gdatasoftware.com
Last week, HD Moore released details about a serious DLL problem under Windows. HD Moore is known as developer of the Metasploit application.
After a week, Microsoft released more information, discussing bad practices in DLL loading that could lead to remote exploitation, which is the main source of this problem. They have recently released tools which can help mitigating the risk. But the real and possibly best solution is for developers to patch their applications to follow best practices.
There is little that can be done by those of us in the security community, or Microsoft for that matter, as many applications are designed to take advantage of this flaw and it could take many weeks or months for application developers to release better designed programs and encourage users to update to these new versions. Some of the programs will be updated automatically, some of them won’t. The patches Microsoft is offering do work, but it could make several programs unusable and prevent them from backward compatibility.
The Microsoft LNK / USB worm / rootkit ‘issue’ will kill WIN XP SP2 and WIN2000 earlier…
Just recently, reports were released about a new kind of malware propagating through removable drives. The said malware exploits a newly-discovered vulnerability in shortcut files, which allows random code to be executed on the user’s system. Microsoft has officially acknowledged the vulnerability and released a security advisory.
The malware some of the AV industry detects as Win32/Stuxnet, unfortunately, is a worm (and rootkit) of a slightly different colour. It can propagate making use of a 0-day vulnerability described here and also listed by CVE as CVE-2010-2568.
The biggest problem is that Windows (specifically, the Windows Shell) can be tricked into executing malicious code presented in a specially-crafted shortcut (.LNK) file linking, in turn, to a malicious DLL (Dynamic Link Library).
The problem is in the way that Windows Shell fails to parse the shortcut correctly when it loads the icon, it isn’t necessary to click the icon for the malicious code to be executed! The code will be executed without any action on the part of the user once that folder is opened to access whatever legitimate files are on the device.
