Many South African Web sites hit by a SQL worm last month are still not safe to visit.
Dino Covotsos, CEO of penetration testing and security company Telspace Systems, says the sites include MNet, MWeb, 702, Highveld, Piggspeak, News24, Private Property and SABC.
"The sites were not infected by a virus, but rather exploited by an automated SQL attack from compromised computers."
He says the worm exploits bad coding techniques in Web pages. "The problem is, if the developers do not fix the core issue, their Web site just gets re-infected, and that is exactly what is happening in the ZA domain space."
The different variations of the worm at the moment do different things, he adds. "Some exploit ActiveX vulnerabilities, while others backdoor computers and send out passwords. The biggest problem is every visitor to the worm-infected site will get infected by the malicious JavaScript."
Covotsos says Telspace Systems contacted several local sites to warn them about the infection when it was first identified, yet most sites are still infected. "Many companies don't realise what the implications of the worm are. Awareness is the key issue.
"This SQL worm has been circulating the Internet for some time now. Our first serious dealings with it were around 15 April, but some say it could have started before that," says Covotsos.
None of the companies have posted warnings on their Web sites to notify visitors of the potential danger.
The right steps
An anonymous spokesman for the SABC confirmed its Web site was infected. "We are dealing with the problem," he says. The team had already identified and neutralised the problem, he adds. "However, they are still trying to identify the source of the problem."
Despite these initiatives, a string search using Google continues to warn users that the SABC's Web site could harm their computers.
A spokesman for Media24 acknowledged its site had also been infected. "The portion of the site that was compromised was based on code that was written four to five years ago. The hackers took advantage of the vulnerability."
While Telspace Systems identified the site in April, the Media24 spokesman says the company only became aware of the infection the week before last. "They [the hackers] went systematically through the Web site and took advantage of the vulnerability," he adds.
He says Media24 has run intrusion tools on the site and has taken steps to ensure the problem does not recur.
However, Covotsos says intrusion tools may not be enough to repair an infected site. "Immediate procedures should be to take the site offline, cleanse the database and source code. Then companies need to figure out where the infection points are and fix those. To reinstall the Web server is also recommended so that clean code can be included on the fresh installation."
In addition, he recommends companies complete a penetration test and vulnerability assessment. "While it may be costly, it's more costly to have your database compromised and to reimburse all your clients for losses."
Piggspeak and Primedia had not commented by the time of publication.
Related stories:
Malware gets sneakier
A useful virus?
E-mail viruses dip in May
Mobile will be under attack
Share