I took the latest list from ShadowServer (as at 23 May 2008), and did a comparison of SA infected pages to globally infected pages. I used a lame google search for these, but it shows some interesting results. You can see where the focus on the 'well known' domains paid off, and the new injections haven't been cleaned up yet. There is a serious case of missing root cause analyses here. Still some large SA sites infected, but mainly Gov, Property and Storm telecoms sites now.

I now count approximately 1.5million infected sites based on the updated list of domains at ShadowServer. SA infected pages are now up to 1 340, although this varies wildly based on the Google DC queried. Some large SA sites are still being re-infected.

There's also a new consequence. Instead of just silently infecting your users with malware, which is hard to spot. Google is now blocking access to some of the sites, along with Firefox if you have the safe browsing lists enabled. If reputation doesn't drive action, falling ad revenues should.

Check out the comments on the last entry. Roberto spent some time responding, and re-responding. Makes for some interesting reading.

Last week, Roberto Preatoni, founder of WabiSabiLabi, the exploit eBay, gave a talk at the ITWeb Security Conference about his creation. I really wanted to ask a question, but there was no time. At the end of his talk, when asked who agrees that WabiSabiLabi is a good idea (i.e. creating a market place for vulnerabilities and exploits to be freely sold and traded, like eBay) like Roberto, I was surprised to see so many hands go up as the general info sec community has reacted quite harshly to the idea. A possible explanation based on my experience is that many ITWeb attendees are not 'hardcore' security people, and haven't been following the disclosure argument over the last decade. Then, given only Roberto's talk, chose to agree with him due to a lack of any exposure to rebuttal. When asked who disagrees, I was the only one who put their hand up.

So, here's why.

Debian released a patch to OpenSSL based on a Debian-specific bug resulting in random numbers being used for the secret parts of key generation not being so random (due to the random number generater not being seeded). Quoting from the mailing list announcement:

Affected keys include SSH keys, OpenVPN keys, DNSSEC keys, and key material for use in X.509 certificates and session keys used in SSL/TLS connections [generated after 2006-09-17]. Keys generated with GnuPG or GNUTLS are not affected, though.

Ubuntu has also released a security announcement stating they too are affected (which likely means other Debian based distros are too, like the Xandros on your Asus EEE PC). In their words:

We consider this an extremely serious vulnerability, and urge all users to act immediately to secure their systems.

In our instance we needed to regenerate several SSH host keys. For ease of use, here are instructions for doing so. Please not these instructions are superceeded by the instructions which will be posted here (but aren't yet).

So, the SQL injections of last month are still going and on the increase. At last check (11am SAST) Google's index had 1 070 000 infected pages. Not all of these are from the same source, or load the same malware. However, they have the same basic principle:

generic SQL injection -> Javascript -> infect visitors

Several of the sites in South Africa I've been watching have been re-infected. I spoke to several of the admins, but it seems they are just restoring from backup and not fixing the root cause. The domains currently being injected and containing the malicious Javascript are:

• nihaorr1.com
• 2117966.net
• aspder.com
• haoliuliang.net
• nmidahena.com
• free.hostpinoy.info
• xprmn4u.info
• winzipices.cn
• wowgm1.cn
• killwow1.cn
• wowyeye.cn

Although, new ones are coming to my attention fairly quickly at the moment. For example, wowgm1.cn was re-injected over winzipices.cn on a few pages. The 'wow' range seem to be related, as they are re-infecting pages with a new URL. On the point of re-injections, it seems some are overwriting each other in funny ways, for example, the following was found on one page (*'s added):

<script src=http://www.2<script src=h**p://www.2117966.net/f*ckjp.js></script>

It bother's me that the security industry (particularly in SA) doesn't seem to have cottoned on to this as a widespread pervasive attack. Shadowserver (one, two) seems to be the only ones getting close to the problem, but even SANS is treating these as seperate events. There is only basic protection at the moment, if you click through from some of these sites (10%?) in Google, you will get a Malware warning. Continuing to the site anyway prevents me due to Firefox's security setting (which shares the same list from Google, i.e. stopbadware.org).

Given how successfull the exploitation of such an 'old' vulnerability, it is likely we are only going to see more (and better executed) versions of this in the next few months (years?). Hitting over a million pages with a pretty lame attack, that only targets Microsoft SQL is fairly impressive. If they just modified their SQL to work on MySQL or Postgres I'm sure we would seem more than a million more hit. It is interesting to note that it has taken this long from someone to try and 'monetise' SQL injections, as it has been around for a while (8 years?). My guess is that it will take less time for bad guys to do the same with XSS & CSRF, but that Microsoft's default request validation will save some of us, but not because dev's have cottoned on.