On Thursday, Webmasters around the world noticed unusual spikes in traffic. For some smaller sites the sudden surge of Web traffic toward their sites appeared to be almost a denial-of-service attack.
Turns out it was the free version of AVG Antivirus 8.0 just doing its job.
In a statement on Saturday, Grisoft said "We have actively listened to the Webmasters who have brought this to our attention, and as a company we have reacted quickly to solve them." What it did was issue a new build of the popular free program.
What's different in version 8 from previous versions is the inclusion of Linkscanner, a scanner that stops malware components embedded on compromised Web pages. LinkScanner was created by Exploit Prevention Labs and purchased last summer by Grisoft, maker of AVG products.
One feature of LinkScanner, Secure Shield, works by downloading the home page of each site returned in a common Web search then populates the search result page with colored icons indicating the relative safety of those sites. The feature, which has been previously available, apparently didn't scale to the large numbers of AVG free customers. On Monday, Roger Thompson, who developed LinkScanner and is now chief research officer for Grisoft, confessed, "We knew it would create a spike of some sort, but nothing like what happened."
How dramatic was the surge in traffic? The site AVG-Watch.org provides charts on bandwidth use after the release of AVG 8.0.
In an e-mail to CNET News, Thompson went on to say: "We did not consider the multiplying effect of any given Web site's own marketing within search engine results. In other words, if a Web site, through its marketing, became a common search result, it was scanned much more often than we expected. As soon as we found out, we gathered some data, talked to some Webmasters, and figured out what to do."
However, Thompson disputed a claim by AVG-Watch.org that the updated AVG version now only "pretends to prefetch," and does little more than a DNS (Domain Name System) lookup of the site. Thompson said "it doesn't pretend to pre-scan. It just works off the local blacklist. That involves a DNS lookup, so that we can compare both IPs and URLs."
Making matters worse last week, AVG disguised the scans as coming from Internet Explorer 6 browsers, and not Secure Shield. For a few days it was unclear who was responsible for the surge in Internet traffic. Thompson said they could have made the LinkScanner scans entirely stealth, but they wanted to give Webmasters the option of filtering the scans.
"The real issue is that, like it or not, we're at war on the Web," said Thompson. "Criminals, both organized and opportunistic want our PCs and our money, and they're attacking via the Web. It's no longer like the old days when they wrote this stuff for fun."
Visitors to AOL's main portal page may have seen a headline "Disgraced 'Oprah' Author Is Back" circulating, but those who clicked may have infected their computers, says Roger Thompson, Chief Research Officer of AVG Technologies.
Thompson said anyone clicking on the headline link would be taken to a legitimate forum page discussing James Frey's latest book, Morning. However, some of the blog posts on that page contained a link to a video site. In order to view the video associated with that post, the user would have to accept the installation of the video codec.
Upon accepting the codec download, the user's machine would become infected with the Zlob Trojan.
A spokesperson for AOL said: "The malware link referenced in the story appeared in the "Comments" section of an AOL News site, and was posted by an outside source. AOL has several tools and resources in place to quickly identify and remove dangerous or false links, and as a result, identified and removed the link from the site. Per our overall policies regarding user generated content, the person responsible for posting the link has been banned from posting on the site again, and all content posted by them has also been removed."
Thompson agrees that AOL's security is good and sees the incident as a warning. "If ever you have to install a codec to watch a video, don't. It's just not worth the risk," he said.
Within the last week, two large-scale releases of malicious code have included exploits for a vulnerability that Microsoft patched in April 2006. The weekend's defacement of more than 70,000 Web sites and the installation of an MBR rootkit both require exploitation of the number of older vulnerabilities, including MS06-014. Why bother?
The original security bulletin for MS06-014 was posted back in April 2006. It concerned a flaw within the Microsoft Data Access Components (MDAC), specifically within the RDS.Dataspace ActiveX control, that is part of the ActiveX Data Objects (ADO) distributed in MDAC. Shortly after the patch was available, an exploit was published to the Web.
Roger Thompson, chief research officer at Grisoft, said in an e-mail, "MS06-014 works really well, and it's really easy to use and modify. It's shocking that it's still producing enough to make it worth their while, but it must be so."
Shortly after MS06-014 was published, Microsoft released Windows XP SP2, which, among other things, includes all the previous Windows XP security patches.
Given the exploit's revival, there must be a large number of machines still running Windows with XP SP1 or before.
Thompson said the continued use of older exploits "underlines how hard it is to do a new exploit, as opposed to just using someone else's." Thompson, whose company makes the Linkscanner safe browsing application, said blocking these exploits is the best protection. Of course, keeping your Windows system up-to-date can't hurt either.
On Wednesday, the SANS Internet Storm Center and others published details about the massive SQL-based Web attack that occurred over the weekend. The attack, says SANS, is similar to a smaller SQL-injection attack seen in November. At least 70,000 sites were compromised in a short period of time, leading some to speculate this was an automated attack.
From logs files, the attack code appears to exploit a variety of SQL injection vulnerabilities existing on Web sites using Microsoft SQL or Microsoft IIS. On the vulnerable sites, malicious JavaScript is injected into all variable character fields and text fields in the SQL database such that when visitors hit the site, their browsers, if vulnerable, are then redirected to another domain--in this case, us8010.com.
Roger Thompson, chief research officer at Grisoft, identified one of the exploits served at the malicious server as taking advantage of MS06-014, a Microsoft Data Access Components vulnerability that Microsoft patched in September 2006. He also noted that "this domain uc8010(dot)com was registered just a few days ago (Dec 28), and yet, at one point Google showed script injections pointing to it were showing up on over 70k domains." Yet by January 5, most of these domains had already been cleaned.
What's interesting about this attack, aside from its automation, is that the SQL injection script is given in terms of a CAST statement, code that converts one data type to another. Ryan Barnett has provided a decoded version of this attack.
Barnett suggests that to protect against this attack a Web site should be front-ended by an Apache proxy and then back-ended by ISS or MS-SQL. SANS says other methods, such as blocking CAST statements, would also be effective.
- prev
- 1
- next
