Feeds

back to article Mass ASP.NET attack causes websites to turn on visitors

An infection that causes poorly configured websites to silently bombard visitors with malware attacks has hit almost 614,000 webpages, Google searches show. The mass infection, which redirects users to a site exploiting old versions of Oracle's Java, Adobe's Flash player and various browsers, was first disclosed by researchers …

COMMENTS

This topic is closed for new posts.

Very poor reporting

From evidence given, nothing to do with ASP.NET. By the sound of it, it's about crap programmers from any database back end. Can you just clarify the ASP.NET vuln?

7
3

The site that this article links to gives a bit more information, but not a lot.

This attack is something that I've seen recently, and it is in fact targeting ASP, but not just ASP. Similar attacks are being conducted against sites using PHP as well.

An overview of how it works:

- Hackers gain entrance to a site, via SQL injection or by some other means. (This may, I believe, involve gaining access to a site on a badly configured shared hosting server and then attacking other sites on that same server.)

- The hackers inject a heavily obfuscated piece of ASP code into .asp files or PHP code into .php files. The injected code is written in such a way that it's very difficult to read.

- When the ASP or PHP code is executed, the malicious routines which have been injected in the code modify the HTML output produced by the code to place a link to a hostile JavaScript on another server.

- This hostile JavaScript is also heavily obfuscated and difficult to read. It opens an invisible iFrame which redirects the user through a series of intermediates to a site which tries a number of different browser exploits to place a drive-by malware executable on the visitor's computer. If this is successful, the newly infected computer phones home to a command and control server.

I first became aware of this attack against ASP and PHP sites while I was investigating a different, unrelated (I believe) attack against WordPress sites that also involves injecting obfuscated PHP code into a compromised Wordpress site. I've written about that attack at

http://tacit.livejournal.com/362704.html

One of the commenters on that blog post mentioned that he had a Web site not using WordPress that was being attacked by the injection of obfuscated PHP code. I took a look to see if it was the same attack. It wasn't...but it was an attack that matches in almost all important regards to this ASP attack.

So I don't think it's really 100% correct to characterize this as an attack on ASP or ASP.NET sites. Rather, what's happening is that sites running vulnerable ASP, ASPX, or PHP code are being exploited; the hackers have written code in both PHP and ASP which, when executed, inserts a call to the malicious JavaScript in the script's output. he similarity of the code and the JavaScript attack at least suggests the possibility that the same people are attacking both ASP and PHP sites.

13
1
FAIL

Exactly

I'm an ASP.NET programmer, so I was very interested to see what the author was trying to tell me was wrong with my sites.

Come to find out, the "attack" on ASP.NET is SQL injection - a vulnerability even a rookie programmer knows how to avoid, and to which any web platform is vulnerable if its application is poorly designed.

Reporting FAIL. Thanks for the time waste, Reg!

0
1
FAIL

What an utterly terrible article

How are these websites being compromised?

You say it's SQL injection then go on to say that ASP.Net sites are being targetted - which is it? (Hint: ASP.Net sites can quite happily run without databases)

This article gives me no information to be able to tell whether my servers are vulnerable to attack or not. Pathetic.

12
3
Bronze badge
Linux

If they a Microsoft servers

They are always vulnerable.

4
17
Thumb Down

Ignorance on parade

That is all.

0
0
Unhappy

SQL Injection?

Perhaps there are some people who shouldn't be allowed near code editors ever again, all the way down to ed and Notepad, if they don't code to prevent SQL injection attacks.

So, when's the next XSS exploit due?

5
0

Semantics!

"Mass ASP.NET attack causes websites to turn on visitors"? Whatever. It's clearly a SQL injection attack. The fact that it may be more prevalent on Windows Servers does not make it 'ASP.NET attack'. Poor title, probably for bait.

Any developer, on any platform, that does not explicitly distrust all incoming data and subsequently sanatise it, should not be a bloody developer. I am amazed just how many sites and prop/open-source solutions (on both MS/Linux) I have seen are susceptible to SQL injection. There's a lot of poor developers out there, on all platforms.

As with all SQL injection attacks, the problem is the developer - simples.

5
0
WTF?

--more--

This article contains absolutely zero information, and a whole lot of padding. Where's the information on the exploit? There's a link to the page, but no discussion about the exploit itself. There's a rather hysterical proclamation about ASP.Net, and then the linked page shows a piece of malicious JavaScript. Reporting standards seem to have taken a dive at El Reg Towers with this one.

WTF? because WTF?

6
0
Bronze badge

Crap all around

Crappy web sites. But you make it sound like it's an issue with ASP sites. When in reality it's an issue with configuration. Outed software with holes in it . Finished of with a lousy reporting . In summation this requires a clueless web site designer and a clueless user for this attack to work. Nothing to do with ASP.net

3
0
Bronze badge

very poor

Expect better from an IT site like the reg.

"The infection injects code into websites operated by restaurants, hospitals, and other small businesses"

So that suggests a particular app these places might use is vulnerable, which may or may not be an ASP.NET app. But the headline looks like standard MS bashing fair and suggests the attack is against ASP.NET itself.

Credit to the reg readers that so far there haven't been any tedious derogatory comments about MS (spelled with the dollar site, naturally) urging man and dog to adopt open source O/Ss to avoid such issues.

6
0

';drop table users

So if I understand this correctly, this is essentially the exploiter pasting some javascript code into an input control which saves that text in the DB (so something like a comments section, contact form, customer testimonial etc) and then when that info is rendered into a page, the script is also rendered and run.

So as others have pointed out, this affects any website which takes info, stores in a DB, and then displays back to users. Well, any website that doesn't sanitise the input data.

Are there really still developers out there who don't sanitise the input and parameterise their queries?

0
0
Gold badge
Unhappy

@Tatsky

"So as others have pointed out, this affects any website which takes info, stores in a DB, and then displays back to users. Well, any website that doesn't sanitise the input data."

At last count the "designers" of about 614 000 of them.

But I'll make a small bet this will rise *lots* higher.

0
0
Anonymous Coward

That's odd. Suddenly I'm an anonymous coward......

0
0
Bronze badge

Microsoft is the culprit anyways

It is not the server side vulnerability that makes this interesting, but the ubiquitous client side Microsoft Windows virus friendly OS. Long live the Microshit!

3
21
Coat

Dear flamebait...

Shall I call 'the men in white coats' or would you prefer to do that for yourself ;)

3
1
Bronze badge

Really cause. it relies on out dated Java or adobe products. How is that MS fault ?

1
1
Anonymous Coward

Errr

"Really cause. it relies on out dated Java or adobe products. How is that MS fault ?"

...because it only affects sites using ASP.NET!

0
7

re: Microsoft is the culprit anyway

I can't refute what you say, so I'll mod you down instead :)

0
1
Anonymous Coward

I see, so by your logic, current and past SQL injection vunerabilities in phpCMS, Codice CMS, Voxpopulime CMS, BloofoxCMS, WordPress, Joomla and Drupal (to name but a tiny, tiny fraction) would the be fault of say Linux and/or Microsoft (or any other OS capable of running PHP)?

I take it your are not a developer?

4
0
Bronze badge

did you read

Because it said that you had to badly configure the site. The fact that same can't code is not MS fault. It's the same as having the spare key under the front door mat. It's not the fault of the lock maker.

2
1
Bronze badge

once again

Did you read mine? I said that on GNU/Linux I do not care about these web browsers' dangers resulting from whichever fault (bad SQL/PHP/.NET/JAVA)

t is only the MS Windows users' worry. Now are you getting it?

0
0
Megaphone

Pull the article or rename the title

I agree with the other comments here. I'm an ASP.NET developer and this article in the end becomes a piece of false advertising by its title. It's almost as bad as saying the sky has mysteriously and dangerously turned grey on a cloudy day. Makes me wonder if the reporter just needed more readership and so threw in that title or if it's an article just meant to slam ASP.NET in general.

The bull horn because it's just a bunch of unwelcome noise rather than being informative

5
0

yes it is to do with ASP/ASP.NET

if you read the blog entry and look at the link to google search results, you will see it IS targetting ASP/ASP.NET websites. Whether the attack would work against PHP sites is not the point, the google results clearly show .aspx pages being returned, so yes they are affecting ASP.NET sites. OK they may be poorly codes, and they may not be:

As a PHP developer and an ASP.NET developer, I can say it is not always the case that developers are at fault, sometimes the framework code in .NET does not do what it should, as in the past I have had to code my own routines. Not saying that's whats going on here.

1
1

Actually I would suspect it is more likely IIS

The nature of the attack doesn't appear to use anything specific to ASP or ASP.NET. So my unfounded guess as to why there's such a high proportion of sites that are ASP.NET (yet not all of them) is that the automated script that is run once the server is comprimised is targetting IIS. This makes some sense to me, as IIS is easily locatable, and easily interrogated and manipulated by a script (by design, not by mistake). This would make it an easy target for someone wanting to do a mass automated attack. I'm sure they could have targetted other web servers, but I guess they haven't.

3
0

suspect unfounded

Attacking IIS is something different than a SQL injection attack.

1
0

No Sentient, you misunderstand

Not 'attacking IIS', I'm saying that once the system has been comprimised by the SQL injection attack, I suspect it is then using the fact you can easily find IIS and configure it (now that it has permissions) by writing an automated script to do it. Thus the websites that are seen as comprimised are ASP.NET, because most websites running on IIS are ASP.NET. I'm not suggesting an IIS vulnerability.

1
0

WTF with the title?

1
0
Gold badge
FAIL

Looks like it works because of a basic misunderstanding.

Store information.

Hold in DB.

Output information back to user.

The implication is that this happens with text controls which deal with *passive* text.

But the DB executes code *regardless* of what kind of control it originates from.

The attackers know this. The "legitimate" developers do not seem to.

Now how many times had this been done *already*?

0
0
Facepalm

Mass ColdFusion attack causes websites to turn on visitors

This is a complete joke. Nothing here to suggest this has anything to do with ASP.NET, IIS, Microsoft, or anything else specific to a particular brand. There are almost as many ColdFusion pages in the linked Google results.

It's an exploit that all dynamic data driven sites try to program against.the only newsworthy bit of this article is the information about what happens to the users after they're redirected off to malicious sites.

1
0
FAIL

Next to useless article

This is a pretty major development, especially for those of us working with ASP.NET directly, or supporting users of ASP.NET systems - and I'm the latter, working in one of the UK's largest hospitals.

What you've written is a fairly lengthy article saying not very much. Useful things to include in your blathering might have been:

- What actions developers should be taking

- What actions server side support teams should be taking

- What actions desktop support/end users should be taking

1
0
Anonymous Coward

WTF is going on at El Reg these days?!

This article is symptomatic of the junk that's now being regularly churned out.

You seem to think that launching a paper aeroplane once a year is enough to keep the geeks happy, and the advertising revenues rolling in.

FFS sort yourselves out or you risk losing your readers.

0
0

websites operated by restaurants, hospitals, and other small businesses

Yep, whenever I think of small businesses, hospitals are one of the obvious examples.

2
0
FAIL

Title

Again, to echo what everyone else has said: this article doesn't help in the slightest.

Are there any examples of how this is an ASP.Net exploit? As it stands, it appears a number of web techs, including ASP.Net, have been struck by this issue - and as others have commented, it is likely to be some kind of SQL injection, which a well-coded .Net app should be protected against. So unless there is an issue with .Net's SQL Parameters, or some other part of the .Net db technologies, I fail to see how this is a "MASS ASP.NET ATTACK".

0
0
Anonymous Coward

Can we have a system with user input escaped by default

so if you're going to open up an injection vuln you have to do it deliberately?

1
0
This topic is closed for new posts.