Subscribe
About

Worming their way out

SA has been exposed to the first publicly known SQL injection worm.
Dino Covotsos
By Dino Covotsos, Founder and CEO, Telspace Systems.
Johannesburg, 20 Jun 2008

The phone rings, it's that high profile, public company again. You know the one that knew better and ignored advice on SQL issues, for an entire year. They're explaining that they have no issues, and there's nothing to worry about.

The problem is, now they have been hit by the SQL worm and they don't even know it. Most of their pages have been infected by this quickly-propagating worm, and they are not willing to listen to any advice.

In the last couple of months, South Africa has been exposed to the "first" publicly known SQL injection worm. This worm took advantage of bad coding techniques and ultimately inserted malicious code on to Web sites that were vulnerable to SQL injection.

I was more than concerned to see the general reaction from South African companies in terms of their information security policies and procedures when a defacement or attack occurred. Several high-profile companies blatantly ignored advice from international experts on multiple occasions. They decided the way to fix their SQL issues was by removing the inserted code, which just resulted in the Web site being re-infected in a matter of hours or even minutes. Some companies disabled or removed the entire page; this was their quick fix.

When worms attack

The more interesting aspect of these SQL attacks, however, is that this worm was very much an initial or "beta" version of what an SQL injection worm can actually achieve. The attack was fairly uncomplicated and did not perform to its full potential.

Sure, this worm inserted malicious Javascript and tried to attack and exploit several outdated applications. These included Realplayer, Microsoft XML issues, AIM, Adobe Acrobat, Shockwave Flash and so forth. It also captured usernames and passwords, placed backdoors on machines and essentially compromised people's systems.

While the above may sound fairly complex to the average computer user or consultant, the initial attack has actually been used for several years and is not complex by any standards.

We can expect to see quite a few more malicious worms, with the after-effects promising to be far more devastating.

Dino Covotsos is CEO of Telspace Systems

Even more so, what kind of damage could occur should an extremely malicious worm appear? We can expect to see quite a few more malicious worms, with the after-effects promising to be far more devastating. A simple example would be of an attacker utilising custom-made, unreleased exploits targeting the client side vulnerabilities. This will have a much greater impact and aftermath.

Taking it one step further, we can also envisage a full server operating system compromise, copying or dropping (deleting) that very mission-critical SQL information. This is really the information that is supposed to be kept private. We will probably also see a more generic worm, which targets not only one specific database type, but databases such as Mysql and Postgres. We will continue seeing more techniques being utilised such, as fast-fluxing.

Negatively affected

Many companies do not think they can be held liable in any sort of way if user data is compromised or leaked. To this day, companies still ask us: "What is the problem or risk if all of our users' information is taken?" Or even, a favourite of ours: "Why is this even worth fixing?"

We have seen a specific number of these companies face-to-face and some of them have just installed some freeware application to secure hundreds of thousands of users' confidential details. Not exactly very secure for the end-user, who has just provided his ID number, full name address and much more.

Companies do not realise there are many negatives if their Web sites do get defaced or attacked successfully. The reputation of a business is negatively affected. In this specific instance, end-users are not safe even just browsing an infected Web site - if their personal or business computers are infected because of a Web site, that opens a new can of worms. The company can be held liable for the damage to their property.

Creating awareness

Obviously, with the all the negatives, I do believe there have to be positives. As mentioned previously, I do believe that thanks to this SQL worm, there has been a growth in interest and awareness around this specific type of issue. Some companies' eyes have been opened and a few more are now taking information security a bit more seriously.

Personally, I have seen a few very high-profile companies in SA and abroad, clients of ours, react in a very serious and professional manner when addressing these specific kinds of issues. I am extremely impressed to see the attitude of some of the companies that we have dealt with; they have taken their roles in information security extremely seriously. We obviously just wish it applied to more high profile companies in SA, but we are getting there. Slowly.

* Dino Covotsos is the founder and CEO of Telspace Systems.

Share