Ni hao! W3 0wn j00

[unixronin]

SecurityWire reports on a massive-scale Chinese hacking campaign that has targeted hundreds of thousands of sites over the past ten days, exploiting weak ASP and PHP code to compromise MS SQL Server back-ends via complex SQL injection attacks.

The attackers are using simple search engine queries to find massive lists of ASP or PHP sites, for example, to determine injection parameters and then automating their attacks.  They are taking advantage of functionality in Microsoft's SQL Server database server that enables multiple SQL statements to be sent in the same HTTP expression.  Other databases such as MySQL or Postgres don't support this functionality.

[...]

The attack is a complicated SQL injection, said Jeremiah Grossman, a Web application security expert and chief technology officer of White Hat Security. Grossman said the injection is nearly a paragraph in size, and fully encoded, enabling it to elude intrusion detection systems. Part of it contains Chinese characters and a leet-treatment of the Chinese word for hello, ni hao (n1 ha0).

The SQL Injection exploit loops through database tables loading in malicious JavaScript everywhere it can, Grossman said, and ultimately infects browsers with malware via a Web page iFrame which loads content such as Trojans, from different hacker sites.

Grossman said he knows of one site loading a Trojan trying to steal World of Warcraft passwords.  But, the real danger is that essentially these sites have been backdoored, and the payloads can be swapped out at any time.

"They're blindly tossing SQL injections at sites and getting a high success rate.  They're upping the game," Grossman said.  "This is a new level of sophistication."

Comments

[ithildae.livejournal.com]

The real problem is that you can't tell if your site is compromised until it is too late. You can row-by-row examine every record in every table, or you can restore from backup. (The real solution is to get off of MS SQL Server, but who is going to do that?)

I am disturbed that so much digital warfare is coming from China. With the controls that the government has on internet data, it is not credible to think they are not aware of it.

[wyrdling.livejournal.com]

not just aware of it, they seem to be sponsoring a great deal of it.

[unixronin.livejournal.com]

Hmmm ...... "info-privateering"

[wyrdling.livejournal.com]

pretty much, i think.

[ithildae.livejournal.com]

That is a conclusion I am not yet prepared to make. It certainly sounds true to me, but I am not sure I could prove it.

I am trying to see it from China's perspective. If they persist in hostile activities on the internet from Chinese connections, will the rest of the world shut down internet to China? That would get rid of lots of negative publicity and awkward sites that they need to police and block. I just don't see a downside from their perspective.

[cymrullewes.livejournal.com]

No more wire transfers of money? No more free intelligence gathering?

[ithildae.livejournal.com]

Banks have always had secure communications channels. There is still dark fiber to China. Banks will get money accounted for. (For a price...)

What China is doing goes way beyond intel. Perhaps we just don't hear about cracks to sensitive sites. Access to internet through a local country, where they have influence, is just not that hard. They won't lose access to the internet. Their current intelligence efforts are not free. I don't see them losing anything.

[wyrdling.livejournal.com]

i've read in reputable news sources that they offer all kinds of awards and training for hackers. via schneier, i think, possibly others as well. i wouldn't be surprised at all if that's the tip of the iceberg consideirng how much the feds have had to repel from that part of the world over the past few years.

and, yeah, i can't see much reason for them not to, particularly if they maintain at least a margin of deniability....

[jilara.livejournal.com]

That might explain the flood of spam that has suddenly started getting through the company filters, here. And I know that at least one of our company servers has been compromised and made part of a bot-net, because I am on a mailing list that theoretically goes only to priviledged users of a certain database, since it has company-confidential info, and it's suddenly sending out notices of bounced emails. I wonder if you can do industrial espionage via brute force: harvest 'em all and sort it out later.

[unixronin.livejournal.com]

And I know that at least one of our company servers has been compromised and made part of a bot-net

Wonderful. Have you tried to inform IT? Do they listen?

[jilara.livejournal.com]

Oh, that's the great part. No one seems concerned about it. Or knows who is responsible for that server. Just lots of buck-passing. I've given up.

[unixronin.livejournal.com]

Wonderful. Can you say "part of the problem"?

[bunrab.livejournal.com]

I just love that "blindly tossing SQL injections at sites" is "a new level of sophistication."

[unixronin.livejournal.com]

Yeah, I suspect that doesn't come out quite as intended. What's meant, I suspect, is that rather than a SQL injection attack to gain elevated privileges which are then exploited by further manual steps, they've developed Javascript exploits that they can just "blindly toss" into the system in the almost-certain knowledge that wherever they land, at least some of them will work and be able to compromise the system.