Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: Being a good internet neighbour SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network
https://isc.sans.edu/honeypot.html

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Being a good internet neighbour

March 2011 was a busy month with a number of very public announcements on systems being breached. These had different effects on each of us.

The one that had an odd side effect for me was the Lizamoon.com SQL injection attack. My day job has me attempting to protect a large number of staff from themselves and the evils of the internet, which isn't that different to many that read the Diary.
 
After seeing the alarm about this SQL injection attack, I implemented the standard block list to the identified malware hosting sites [2] and reviewed my firewall logs. Solid security and operational practices meant our systems were safe, but I did find three external websites that had been successfully compromised just from reviewing the proxy web logs. Just to be clear, my company has no anti-disclosure constraints, I was given permission to talk with the attacked sites, this attack is pretty public, I haven't tweaked, fiddled or done stuff* to find this information and they are, unwittingly, attacking my systems and staff. I, as the security guy need to stop this one way or another.

This leads to my First Question**: Should I tell them they have a problem or just blocked 'em too?

The SQL injected web site is a legitimate web site, staff from my company are allowed to access it and being redirecting to Evil Web Site without either party knowing means action has to be taken.

This seems like a no brainer. If you see someone's house is on fire, you let them know.

Second Question: How do I let them know?
The easy way was to get contact details from the infected web site by visiting the site and clicking on contact info. This identified them as a large company and two small businesses, all in my time zone and relatively local to me. I was able to get the helpdesk for the large company, the owner and a shop assistant for the other two.

Third Question: What do I tell them?***
The fun part of talking to non-IT people (most of humanity or so I'm informed) is glibly pointing out "their 'base has been 0wnzed by sqli" might not convey a clear and detailed picture of the issue.  Most people know being hacked is a bad thing, so the simple opener of “Your web site has been hacked and as a customer I’d like you to fix it please” was a reasonable start and got their attention. I told them where to get more information on how their website was hacked (Google these terms or go to web site X) and that their IT people need to fix it. I offer them the best of luck with fixing their site and that was it. All of a pretty easy ten minutes on the phone.

The outcome of a few minutes of advice

Two quickly fixed the damage done and seemed please someone had taken the time to let them know they had a problem.

Only the small company with the startled shop assistant haven’t fixed their Lizamoon problem. Despite a couple of follow up emails to the company they are still compromised so I’ve been forced to block that site at our borders. That’s sadly a loss of income for them, but a necessity for us.

Worthwhile being a good internet neighbour?

That’s up to you but the hope is that everyone can take a few minutes to help out a digital stranger in need every once in a while when you can. Many of you reading this help others in your physical lives, in one way or another, and I’m guessing that takes up a lot more time than a phone call or couple of emails to a digital victim.
Kevin Liston’s let’s clean up SQL slammer [3] diaries really shows if problems aren’t fixed and are left they never really go away but with effort, a difference can be made[4].

As always, if you have any better suggestions, insights or tips please feel free to comment.

 

* e.g. things that could get me fired, arrested, dragged off to a dark room then forced to listen to pan pipes or anything mum wouldn't approve of
** Capitalisation is intentional; it’s there to denote my deep pondering on the topic at hand
*** With so many well publicised social engineering phone scams in Oz [5], I was somewhat nervous about what response I might receive. Fortunately it was all good (as they say here Down Under)


[1] http://isc.sans.edu/diary.html?storyid=10642
[2] http://community.websense.com/blogs/securitylabs/archive/2011/03/31/update-on-lizamoon-mass-injection.aspx
[3] http://isc.sans.edu/diary.html?storyid=9637
[4] http://isc.sans.edu/diary.html?storyid=9871
[5] http://isc.sans.edu/diary.html?storyid=10135
 

Chris Mohan --- Internet Storm Center Handler on Duty

Chris

105 Posts
ISC Handler
- http://blog.sucuri.net/2011/04/lizamoon-mass-sql-injection-ur-php-updates.html
April 4, 2011 - "... good way to check if your site is infected, is by using our malware scanner*. If you see IIS:4 as the malware code, you know what happened..."
* http://sitecheck.sucuri.net/scanner/
.
Jack

160 Posts
This is something I do a few times a year. call about malware on their site, bugs on their site etc. Often I have to tell even large companies how to fix things, as they have no troubleshooting skills inhouse.
Most are happy, but there are the usual few I don't care people out there. They only care when their site is all the way down. And it is illegal to help them.
Povl H.

72 Posts
I've had to do this in the past as well. I see it is part of the golden rule of treating others how you'd like to be treated. Hopefully if my company has an issue someone will have the decency to notify us in the case that we haven't caught it.

I've also located contact numbers and emails based on the whois lookup record though. I contact whoever is in there as the technical contact. That has always given me pretty good luck at contacting someone who knows what they're doing.
Povl H.
3 Posts
At StopBadware, we do a lot of work with website owners and hosting providers that have fallen victim to website compromise. For exactly the reasons you've described, we're doing a few things to try to make this process easier for both you, as a reporter, and for the site owner and hosting provider, as victims.

First, we're working to develop best practices for reporting of compromised or otherwise malware-infected websites. We'll be advised by a volunteer working group. Chris, if you're interested in participating (and I hope you are), please send us a note at contact<at>stopbadware<dot>org.

Second, we're trying to build a system that will allow someone who discovers infected URLs to report to a central location. The system will then parse the URL and whatever information we can collect (or have collected in the past) and attempt to notify the appropriate people and organizations, in accordance with the best practices.

Third, we offer educational content (http://www.stopbadware.org/home/security) and a volunteer online community (http://www.badwarebusters.org) that can help site owners or small hosting providers figure out how to clean up their sites (and remove their sites from blacklists, if applicable).

I think it's great that you went to the effort to identify and notify the site owners and provide them some guidance on your own. If more security professionals did this, compromised sites would get cleaned up far more quickly. Hopefully, some of the work we're doing—with the support of the security community—will help make this easier for you and others in the future.
Povl H.
5 Posts
I'm not sure of the answer.

If I wake up one morning and find a strange looking tube with some big round tanks mounted on the roof of my car, I'm free to ignore it and drive to work per normal. However, when I later drive back home and discover that every house along my route has burned to the ground, and when a neighbor asks me why I put a flame-thrower on the roof of my car and burned down their house...

...well, what *should* happen when I deny that my car is related to those fires, and when I continue to drive it to work the next day? Am I free to napalm your house again and again, simply because I'm either incompetent, or because it'd be inconvenient for me to stop? At what point should I be prosecuted as being complicit?
Steven

42 Posts
>>we're doing a few things to try to make this process easier for both you, as a reporter, and for the site owner and hosting provider, as victims.

I, for one, would love to see that happen. I come across many malware infected sites on a daily basis as part of my job as a Security Lead Analyst and, unlike Chris, my company does have an anti-disclosure policy. I therefore, being the good netizen that I am, inform the infected sites of the problem and mitigation without disclosing the company I work for.

99.999% of the time I am ignored - probably brushed off as spam/phishing/nut-case/extortionist - so I have to end up going down the public disclosure avenue.

That is a minefield, reporting to - Malwaredomainlists, VirusTotal, McAfee GFI, Bluecoat, BadwareBusters, Sophos, F-Secure, Kaspersky, ad nauseum - while blocking and updating my own defences.

I know some communication between these organizations exist - but the time to mitigate can be a while. And when you have major websites - like one here, I found in the UK, taking 3 weeks to mitigate a Zeus/ZBot drive-by from their site - thousands could have been infected.

A One Stop shop of reporters and the infected would be a god send
Steven
1 Posts
Seems to me that this (as with most things) falls under the purview of "The Golden Rule" i.e. What would you want someone to do if the situation were reversed? Keep in mind also that you (in the reversed role) aren't the tech guru in some cases. It seems as though Chris acted appropriately.
Anonymous
I also see an ethical issue here, especially for those of us who subscribe to a particular code of ethics because of a membership in a security organization or holding a certification (ISC2, ISACA, SANS, etc.)

I'm not saying that I think we are ethically bound to contact every hacked site we encounter. There are just too many of them, and we would not be living up to our committments to our own employers.

What I am saying is that I would find it to be ethically questionable for a security professional to have a policy of never contacting such sites.
John

13 Posts
I have mostly given up with notification - it appears to be ignored 99% of the time (no "thank-you" responses, no fixes)

Big companies don't seem to care, and small ones...

"I don't understand this hacked thing, so instead of contacting my webmaster [brother in law] who hasn't a clue either we will just ignore it. And 'sploits only affect other people") So the luggage website continues to hawk boner pills, warez, and malware.

And yet these websites want to be "trusted".

They NEED to be trusted due to their idiotic, and mostly unnecessary use of js, ajax, flash, silverlight, java, 3rd party cookies, and other "ooo! shiny keys" which requires me to turn off multiple layers of defense to even view their homepage.

lurk

4 Posts

Sign Up for Free or Log In to start participating in the conversation!