Storming the Storm-Bot

Some German 'researchers' have published information about how they have infiltrated the "Storm-bot" bot network and disrupted it via poisoning their traffic (although at first glance it seems more like a denial-of-service).

The story is here: http://www.infoworld.com/article/08/04/25/Researchers-poison-Storm-botnet_1.html?source=NLC-SEC&cgd=2008-04-28

I'd think they'd have to be a bit careful. Monitoring is OK, but actively interfering could be a bit dangerous.

SQL Injection Attack with Drive-By Infections

A big SQL injection attack against hundreds of thousands of web sites. Many government and commercial sites have been infected with code that will try to install a password stealing program just by visiting a web page.

It's not clear if anti-virus programs will catch this one yet.

You can see the extent by doing a web search for "nihaorr1". DO NOT VISIT ANY OF THOSE LINKS! Google search may be filtering the bad sites; they returned only about 48K. Yahoo search returned over 251K entries. Some are discussions about this vuln, but many are sites that have been infected with the malicious javascript.

This one is widespread. Internet Storm Center has info here: http://isc.sans.org/diary.html?storyid=4331 . "They have hit city websites, commercial sites and even government websites. This type of injection pretty much null and voids the concept of "trusted website". or "safe sites"'

Corporate types should be watching for traffic to that site. I found a few users at the office that may have been affected (and possibly infected).

Be careful out there!

CNN T-Shirts and Oklahoma Criminals

CNN has a new revenue source: t-shirts with CNN headlines. And the State of Oklahoma was letting you get a pile of personal information due to bad programming.

For the t-shirt, create your own URL that looks like this:

http://www.cnn.com/tshirt/?headline=Information%20Security%20knows%20where%20you%20go!&date=1208742566000&hash=e6019d52c9d91cc8eb4e077d85751edc&return_uri=http://www.cnn.com/video/%23/video/world/2008/04/20/thatcher.prince.william.chopper.itn

Just replace the text between the "headline=" and "&date". Space characters are the "%20" values. There seems to be a limit to the number of characters. And it doesn't work without the return_uri value. Paste that new URL into your browser, and you'll get your own T-shirt.

When you change the URL values, you are doing a cross-site-scripting attack. I never have liked creating links with parameter values in them. Too easy to hack the values.

Like in this story, where the Oklahoma state database of criminals can be easily hacked to add the name of your choosing to their database. I believe it's been fixed, but one of the stories is here from the guy that found it http://thedailywtf.com/Articles/Oklahoma-Leaks-Tens-of-Thousands-of-Social-Security-Numbers,-Other-Sensitive-Data.aspx .

As for the CNN T-Shirt page, I don't think it would be too difficult for someone to create their own form page that would have an input field for the T-shirt text, then creates the URL for the CNN t-shirt.

Wall Street Journal Provides Link to Malware Drive By Site

We've talked before about 'safe computing'. One of the rule is that you stay away from the darker side of the net, and you keep your software current.

Apparently, the folks at the Wall Street Journal's Business Technology blog don't exactly follow those recommendations.

An entry last week had a link to a dark place - a web site where cyber-criminals sell credit card numbers. And they put the entire link there.

Today, they tell us that the site had a 'drive-by' , which is malicious code that tries to get installed on your computer by just visiting (browsing) to the page. No pop-ups, no 'install' prompts. Just get to the page, and get your malware infection.

Symantec (which told the WSJ about the malware'd page that was in their link) says that current updates will protect you from the drive-by. Which is a good plug for 'safe computing' practices.

Although the free plug for Symantec's trial sofware wasn't appropriate, IMHO.

You'll find the whole story here .

But I suspect that there will be more to this story.

Tax Time Phishing Blues

Here in the US, it's almost time to get those tax forms submitted. Which means that there is an increase in the number of tax phishing emails.

Repeat after me: "The IRS doesn't use email to ask for tax information."

I Read It on the Internet So It Must Be True!

Today is the day that you don't want to believe what you read on the Innertubes ... more than usual.

You'll find lots of allegedly humorous pages trying to fool you. And lots of emails that contain links to malware.

So, be careful out there.

Now, please excuse me while I do a backup to my WORN drive (Write Once, Read Never). Can't be too careful.