Yet Another Massive SQL Injection Spotted in the Wild

Another SQL injection attack was spotted in the wild during the last couple of hours, and while it continues remaining active, surprisingly, the malicious domain is not in a fast-flux. As I've already pointed out, the upcoming SQL injection attacks for the next couple of months, will be primarily executed by copycats, where among the few differentiation factors left is increasing the survivability of the domain.

In the particular attack, the injected domain chliyi.com /reg.js loads an iFrame to chliyi.com /img/info.htm where a VBS script attempts to execute by exploiting MDAC ActiveX code execution (CVE-2006-0003), whose detection rate is 1/32 (3.13%) and is detected as Mal/Psyme-A. Approximately, 8,900 sites have been affected.

Web 2.0 Privacy and Security Workshop - Papers Released

Last week, the 2008's W2Sp workshop held in Oakland, California and sponsored by the IEEE Symposium on Security and Privacy, made available all the papers from the workshop, including catchy titles such as :

- input type="password" must die!
- Web Authentication by Email Address
- Beware of Finer-Grained Origins
- On the Design of a Web Browser: Lessons learned from Operating Systems
- Analysis of Hypertext Markup Isolation Techniques for XSS Prevention
- Privacy Protection for Social Networking Platforms
- (Under) mining Privacy in Social Networks
- Building Secure Mashups
- Web-key: Mashing with Permission
- Private Use of Untrusted Web Servers via Opportunistic Encryption
- Evidence-Based Access Control for Ubiquitous Web Services
- Privacy Preserving History Mining for Web Browsers
- Towards Privacy Propagation in the Social Web

Information is not free, it just wants to be free.

A Review of Hakin9 IT Security Magazine

A new issue of the Hakin9 - Hard Core IT Security Magazine is "in the wild", and since the editorial staff has been kind enough to provide me with issues of the magazine for a while now, in this post I'll review the latest issue with the idea that constructive confrontation leads to the best output achievable.

There are many different ways to review a magazine, however, I'm always sticking to the following critical success factors for a quality magazine :

- The presence of a vision
While a vision is often taken for granted, or even worse, a mission gets misunderstood for a vision, in Hakin9's case the vision could be perhaps best rephrased as "Spoiling the geeks who beg for a nerdy talk to them".

- Content quality

The magazine truly delivers what it promises, namely, hardcode content in sections such as tools review, basics, attack, defense, book reviews, consumers test, and interviews. And whereas the key topic in this issue is LDAP cracking, I really enjoyed the Javascript obfuscation article, with the practical examples provided. A bit ironic, the issue is also reviewing a commercial source code obfuscator, which just like legitimate anti-piracy tools used by malware authors to make their binaries harder to analyze, can also be abused for malicious purposes.

- Relevance of information
The information provided in the articles is highly relevant, and timely, lacking any retrospective approaches and focusing on current and emerging threats only. The same goes for the extensive external resources provided, emphasizing on the importance of self-education.

- Layout

Very well structured, and so far I haven't come across an article where the images weren't syndicated the way they should be, for instance the figures mentioned on a certain page, are the same figures available at that page. Three differentiation points make a very good impression, the level of difficulty for the article, what you should know before reading it in order to understand it, and what you will know after reading it, which you can find at the end of every article.

- Visual materials
The surplus of visual materials is perhaps what won me as a reader from the first moment. In fact, the issues are so rich on visual material illustrating the topic covered in such details, that you can actually take entire sniffing, and javascript obfuscation sessions offline with you, and never ever have to picture the output of a certain process in your mind again.

- Ads

Highly targeted, and primary security related, and best of all, very well spread across the magazine, so you're exposed to more content than ads.

Overall, the magazine successfully delivers what it promises to deliver - hardcode technical content from the geeks, for the geeks. Informative reading!

How Does a Botnet with 100k Infected PCs Look Like?

Digitally ugly for sure, the point is that this malware campaign has been spreading pretty rapidly over MSN and AIM as of recently, and with its success rate so efficiently infecting new hosts, that going through chat logs indicates the botnet master's will to stop spreading it as there are simply too many hosts getting infected faster than he had anticipated at the first place. Ironic, but a perfect example of what happens once the entry barriers into a certain market segment of the IT underground have been lowered to the stage where, it's not about having the capabilities, but the motive to embrace the success rate, like this case.

Botnet masters are also masters in social engineering. Apparently, the success rate for this campaign is so high due to its social engineering tactic, which in this case is to establish as many touch points with the potential victim as possible, and also, entice clicking on a commonly accepted as harmless .php file followed by the victim's username in a username@hotmail.com fashion.

What you see is not always what you get, especially with more and more droppers requesting other malware with image file extensions, which gets locally saved in its real nature - %Windir%\Media\System.exe for instance.