July 2008

Bad Behavior

This month, we’re highlighting SQL injection attacks, an emerging tactic that is becoming increasingly popular among hackers. We’ve seen a recent rise in mass attacks and all signs point to the fact that we’re likely to see more to come. Find out what you need to know in order to stay safe as you surf.

Understanding the Threat
SQL, which stands for Structured Query Language, is a database computer language for retrieving data and managing database systems. Nearly all websites that host personal or product data rely on a database to manage information; this includes social networking, e-commerce, and online banking sites.

An SQL injection is a web attack technique used by hackers to compromise servers. Unknown to the website’s host, the hacker can insert malicious code, infecting any visitors to the site. To put it in simple terms, compromised material on legitimate websites is being used as a means to infect users with malicious content.

This method is one to watch for as an attack on a single, popular server is capable of serving the hacker’s content to millions of visitors. Attacks on websites may be increasing because of the ease at which cyber thieves can carry them off; the scammers need only scan the sites for coding flaws and then redirect the web viewer to a malware source.

The threat level posed by SQL attacks has recently been underscored by the trusted Sans Institute, which listed Web application security exploits, like SQL injections, as one of this year’s top emerging attack patterns.

“Until 2007 few criminals attacked these vulnerable sites because other attack vectors were more likely to lead to an advantage in unauthorized economic or information access.  Increasingly, however, advances in XSS and other attacks have demonstrated that criminals looking for financial gain can exploit vulnerabilities resulting from web programming errors as new ways of penetrating important organizations,” according to the Sans Institute’s Top Ten Cyber Security Menaces for 2008 report.

The Bad Behavior
As forecasted, we have seen a growing trend in recent months – an increase in indirect attacks carried out though compromised websites. Hundreds of thousands of websites, some of them brand name and well-known sites, have been injected and are now unknowingly serving up malware. 

How do you get infected? To carry out this type of attack, hackers take advantage of incorrectly coded web applications by injecting SQL commands. Vulnerable web pages are compromised and installed with code that redirects visitors to a malicious website or malicious content.

In one of the most recent attacks reported at the Lavasoft Research blog, Lavasoft researchers discovered that Walmart.com was serving up malware via JavaScript. Framedart.walmart.com was injected with a malicious URL that automatically downloaded malware to unsuspecting visitors’ computers.

Winning Strategies
As is the case with countering most online threats, it’s always best to practice caution while online. But safe surfing may not be enough to combat this technique because attacks are often carried out on legitimate and trusted sites.

Here are a few winning strategies to help prevent infection:

  • Be leery of links from unknown origin.
  • Patch your operating system and other applications.
  • Use up-to-date, real-time anti-spyware and anti-virus protection, along with a firewall.
  • Consider turning off or blocking JavaScript. Keep in mind that some sites may require JavasScript to function properly. Take advantage of browser plug-ins, for example, the “NoScript” plug-in for Mozilla Firefox which can block JavaScript exploits from automatically running if you visit a compromised website.

78Percentage of teens between the ages of 12 and 17 who use the Internet. More than half of online kids 61 percent use the Internet on a daily basis.
Source: Pew Internet and American Life Project

Is a slow PC bogging you down? Read our tips to get started on creating and maintaining a healthy computer.
Find out what Softpedia’s editors are saying about Ad-Aware 2008. Browse the highlights of our latest review on the Lavasoft blog.
Forward to a Friend
Pass on the news, tips and offers in this issue – e-mail Lavasoft News to a friend.

Lavasoft AB Lilla Bommen 1, 411 04 Gothenburg, Sweden | www.lavasoft.com | editor@lavasoft.com