Adobe Sites Hit by MalwareBy Richard AdhikariOctober 17, 2008 Just weeks after a BusinessWeek Web site was hit by an SQL injection "I can confirm that the Adobe sites were affected," Richard Wang, manager of the US offices of security vendor Sophos Laboratories, told InternetNews.com. Sophos discovered the compromised sites.
Adobe did not respond to requests for comment by press time. Wang said after Sophos contacted Adobe, the software company said issues at both of its Web sites had been cleaned up; a statement confirmed by Sophos in a follow up check that found them "clean" and no longer at risk.
Security experts told InternetNews.com that the increasing use of
Web 2.0 capabilities are making such attacks commonplace, and that hackers are tweaking their tools to better hone their attacks.
SQL injection is a technique that exploits a security vulnerability occurring in the database layer of an application. That vulnerability occurs when user input is either incorrectly filtered or not strongly typed, meaning that there are weak or no restrictions on how operations with values having different data types can be mixed.
One of the Adobe (NASDAQ: ADBE) Web sites infected was its Vlog It support section, an area providing tips for video bloggers. Sophos today notified users about this.
The other infected Adobe site Sophos discovered is Serious Magic. Adobe acquired Serious Magic, which produces high-quality video and communication software, in October 2006.
The shadow of Asprox
The Vlog It site was affected by malware known as Mal/Badsrc-C. It was delivered by a botnet Botnets are networks of hijacked computers used to send malware. American authorities take the issue of botnet creation seriously, and a federal grand jury recently charged Brazilian Leni de Abreu Neto for his alleged involvement in a botnet ring.
Security vendors have been watching the Asprox botnet closely because "we've seen the Asprox botnet changing," Ryan Barnett, director of application security at Web security vendor Breach Security, told InternetNews.com. "When it came out, it targeted Microsoft-based Websites, with asp or asp.net on the front and Microsoft SQL Server on the back end."
Now, "it doesn't really matter what the front end Web technology is -- PHP, Java, as long as you have a Microsoft (NASDAQ: MSFT) back end database with user permissions that are too wide and SQL query constructions that are not set up properly, you can get infected," Barnett said.
Attacks on Microsoft-based Web sites with asp or asp.net were so common at one time that Microsoft issued an advisory on this in June. The problem, Microsoft said in the advisory, was with sites that "do not follow secure coding practices for accessing and manipulating data stored in a relational database."
Next page: "SQL injections are a huge problem."
Page 2 of 2
"SQL injections are a huge problem, and they need to be addressed at the Web and database layers, and you need to encode the outbound data properly," Barnett said. "Then there's cross site scripting where the bad guys inject JavaScript Together, SQL injections and cross site scripting account for "about 60 percent" of all Web site attacks, Dave Marcus, director of security research and communciations at security vendor McAfee, told InternetNews.com. "They're usually Number One and Number Two," he added.
Adobe is "not alone" in having vulnerable Web sites, and these flawed sites are found quickly because "hackers are using automated tools to scan Google (NASDAQ: GOOG) for pages vulnerable to injection commands," Marcus said. When a page is found, it is automatically infected, he added.
That kind of automated search is possible "because it's a by-product of the fact that it's a Web 2.0 world out there, which means there's lots of cross site scripting and SQL back ends," Marcus said.
He recommends that anyone setting up a public-facing Web site must "look at code and application auditing" because, otherwise, "you'll get owned and your site will be used to distribute malware."
|
