[VIM] Department of Homeland Security website hacked! (fwd)

security curmudgeon jericho at attrition.org
Tue Apr 29 08:49:05 UTC 2008

Be curious to search Google for the string and try to determine how many 
of these sites were vulnerable, but NOT running custom-built sites, rather 
running COTS that happen to be vulnerable.

---------- Forwarded message ----------
From: InfoSec News <alerts at infosecnews.org>


By Dan Goodin
The Register
25th April 2008

The sophisticated mass infection that's injecting attack code into 
hundreds of thousands of reputable web pages is growing and even 
infiltrated the website of the Department of Homeland Security.

While so-called SQL injections are nothing new, this latest attack, which 
we we reported earlier, is notable for its ability to infect huge numbers 
of pages using only a single string of text. At time of writing, Google 
searches here, here and here showed almost 520,000 pages containing the 
infection string, though the exact number changes almost constantly. As 
the screenshot below shows, even the DHS, which is responsible for 
protecting US infrastructure against cyber attacks, wasn't immune. Other 
hacked sites include those belonging to the United Nations and the UK 
Civil Service.

The attack causes infected sites to redirect visitors to destinations that 
attempt to install malware on vulnerable machines. At time of writing, the 
malicious payloads attacked vulnerabilities that already have been 
patched. And in any case all three of the redirection sites were down, 
possibly because they were unable to handle the demand. But should the 
attackers get their hands on a newer exploit - say, one targeting a 
zero-day vulnerability in QuickTime - it would be relatively easy for them 
to swap out the payload.

One reason the infection has spread so widely is the attackers have 
managed to find a single attack string that seems to work on tens of 
thousands of different sites. Most web applications are custom -built for 
a particular site, so attackers likewise have to custom design attack 
parameters to exploit weakness. Not so here.

"These guys look like they've found a methodology to get a successful SQL 
injection generically across [many] websites," said Jeremiah Grossman, CTO 
of WhiteHat Security, which helps companies secure web applications. "That 
right there is like a skeleton key."


More information about the VIM mailing list