Very poor reporting
From evidence given, nothing to do with ASP.NET. By the sound of it, it's about crap programmers from any database back end. Can you just clarify the ASP.NET vuln?
An infection that causes poorly configured websites to silently bombard visitors with malware attacks has hit almost 614,000 webpages, Google searches show. The mass infection, which redirects users to a site exploiting old versions of Oracle's Java, Adobe's Flash player and various browsers, was first disclosed by researchers …
The site that this article links to gives a bit more information, but not a lot.
This attack is something that I've seen recently, and it is in fact targeting ASP, but not just ASP. Similar attacks are being conducted against sites using PHP as well.
An overview of how it works:
- Hackers gain entrance to a site, via SQL injection or by some other means. (This may, I believe, involve gaining access to a site on a badly configured shared hosting server and then attacking other sites on that same server.)
- The hackers inject a heavily obfuscated piece of ASP code into .asp files or PHP code into .php files. The injected code is written in such a way that it's very difficult to read.
- When the ASP or PHP code is executed, the malicious routines which have been injected in the code modify the HTML output produced by the code to place a link to a hostile JavaScript on another server.
- This hostile JavaScript is also heavily obfuscated and difficult to read. It opens an invisible iFrame which redirects the user through a series of intermediates to a site which tries a number of different browser exploits to place a drive-by malware executable on the visitor's computer. If this is successful, the newly infected computer phones home to a command and control server.
I first became aware of this attack against ASP and PHP sites while I was investigating a different, unrelated (I believe) attack against WordPress sites that also involves injecting obfuscated PHP code into a compromised Wordpress site. I've written about that attack at
http://tacit.livejournal.com/362704.html
One of the commenters on that blog post mentioned that he had a Web site not using WordPress that was being attacked by the injection of obfuscated PHP code. I took a look to see if it was the same attack. It wasn't...but it was an attack that matches in almost all important regards to this ASP attack.
So I don't think it's really 100% correct to characterize this as an attack on ASP or ASP.NET sites. Rather, what's happening is that sites running vulnerable ASP, ASPX, or PHP code are being exploited; the hackers have written code in both PHP and ASP which, when executed, inserts a call to the malicious JavaScript in the script's output. he similarity of the code and the JavaScript attack at least suggests the possibility that the same people are attacking both ASP and PHP sites.
I'm an ASP.NET programmer, so I was very interested to see what the author was trying to tell me was wrong with my sites.
Come to find out, the "attack" on ASP.NET is SQL injection - a vulnerability even a rookie programmer knows how to avoid, and to which any web platform is vulnerable if its application is poorly designed.
Reporting FAIL. Thanks for the time waste, Reg!
How are these websites being compromised?
You say it's SQL injection then go on to say that ASP.Net sites are being targetted - which is it? (Hint: ASP.Net sites can quite happily run without databases)
This article gives me no information to be able to tell whether my servers are vulnerable to attack or not. Pathetic.
"Mass ASP.NET attack causes websites to turn on visitors"? Whatever. It's clearly a SQL injection attack. The fact that it may be more prevalent on Windows Servers does not make it 'ASP.NET attack'. Poor title, probably for bait.
Any developer, on any platform, that does not explicitly distrust all incoming data and subsequently sanatise it, should not be a bloody developer. I am amazed just how many sites and prop/open-source solutions (on both MS/Linux) I have seen are susceptible to SQL injection. There's a lot of poor developers out there, on all platforms.
As with all SQL injection attacks, the problem is the developer - simples.
This article contains absolutely zero information, and a whole lot of padding. Where's the information on the exploit? There's a link to the page, but no discussion about the exploit itself. There's a rather hysterical proclamation about ASP.Net, and then the linked page shows a piece of malicious JavaScript. Reporting standards seem to have taken a dive at El Reg Towers with this one.
WTF? because WTF?
Crappy web sites. But you make it sound like it's an issue with ASP sites. When in reality it's an issue with configuration. Outed software with holes in it . Finished of with a lousy reporting . In summation this requires a clueless web site designer and a clueless user for this attack to work. Nothing to do with ASP.net
Expect better from an IT site like the reg.
"The infection injects code into websites operated by restaurants, hospitals, and other small businesses"
So that suggests a particular app these places might use is vulnerable, which may or may not be an ASP.NET app. But the headline looks like standard MS bashing fair and suggests the attack is against ASP.NET itself.
Credit to the reg readers that so far there haven't been any tedious derogatory comments about MS (spelled with the dollar site, naturally) urging man and dog to adopt open source O/Ss to avoid such issues.
So if I understand this correctly, this is essentially the exploiter pasting some javascript code into an input control which saves that text in the DB (so something like a comments section, contact form, customer testimonial etc) and then when that info is rendered into a page, the script is also rendered and run.
So as others have pointed out, this affects any website which takes info, stores in a DB, and then displays back to users. Well, any website that doesn't sanitise the input data.
Are there really still developers out there who don't sanitise the input and parameterise their queries?
"So as others have pointed out, this affects any website which takes info, stores in a DB, and then displays back to users. Well, any website that doesn't sanitise the input data."
At last count the "designers" of about 614 000 of them.
But I'll make a small bet this will rise *lots* higher.
I see, so by your logic, current and past SQL injection vunerabilities in phpCMS, Codice CMS, Voxpopulime CMS, BloofoxCMS, WordPress, Joomla and Drupal (to name but a tiny, tiny fraction) would the be fault of say Linux and/or Microsoft (or any other OS capable of running PHP)?
I take it your are not a developer?
I agree with the other comments here. I'm an ASP.NET developer and this article in the end becomes a piece of false advertising by its title. It's almost as bad as saying the sky has mysteriously and dangerously turned grey on a cloudy day. Makes me wonder if the reporter just needed more readership and so threw in that title or if it's an article just meant to slam ASP.NET in general.
The bull horn because it's just a bunch of unwelcome noise rather than being informative
if you read the blog entry and look at the link to google search results, you will see it IS targetting ASP/ASP.NET websites. Whether the attack would work against PHP sites is not the point, the google results clearly show .aspx pages being returned, so yes they are affecting ASP.NET sites. OK they may be poorly codes, and they may not be:
As a PHP developer and an ASP.NET developer, I can say it is not always the case that developers are at fault, sometimes the framework code in .NET does not do what it should, as in the past I have had to code my own routines. Not saying that's whats going on here.
The nature of the attack doesn't appear to use anything specific to ASP or ASP.NET. So my unfounded guess as to why there's such a high proportion of sites that are ASP.NET (yet not all of them) is that the automated script that is run once the server is comprimised is targetting IIS. This makes some sense to me, as IIS is easily locatable, and easily interrogated and manipulated by a script (by design, not by mistake). This would make it an easy target for someone wanting to do a mass automated attack. I'm sure they could have targetted other web servers, but I guess they haven't.
Not 'attacking IIS', I'm saying that once the system has been comprimised by the SQL injection attack, I suspect it is then using the fact you can easily find IIS and configure it (now that it has permissions) by writing an automated script to do it. Thus the websites that are seen as comprimised are ASP.NET, because most websites running on IIS are ASP.NET. I'm not suggesting an IIS vulnerability.
Store information.
Hold in DB.
Output information back to user.
The implication is that this happens with text controls which deal with *passive* text.
But the DB executes code *regardless* of what kind of control it originates from.
The attackers know this. The "legitimate" developers do not seem to.
Now how many times had this been done *already*?
This is a complete joke. Nothing here to suggest this has anything to do with ASP.NET, IIS, Microsoft, or anything else specific to a particular brand. There are almost as many ColdFusion pages in the linked Google results.
It's an exploit that all dynamic data driven sites try to program against.the only newsworthy bit of this article is the information about what happens to the users after they're redirected off to malicious sites.
This is a pretty major development, especially for those of us working with ASP.NET directly, or supporting users of ASP.NET systems - and I'm the latter, working in one of the UK's largest hospitals.
What you've written is a fairly lengthy article saying not very much. Useful things to include in your blathering might have been:
- What actions developers should be taking
- What actions server side support teams should be taking
- What actions desktop support/end users should be taking
This article is symptomatic of the junk that's now being regularly churned out.
You seem to think that launching a paper aeroplane once a year is enough to keep the geeks happy, and the advertising revenues rolling in.
FFS sort yourselves out or you risk losing your readers.
Again, to echo what everyone else has said: this article doesn't help in the slightest.
Are there any examples of how this is an ASP.Net exploit? As it stands, it appears a number of web techs, including ASP.Net, have been struck by this issue - and as others have commented, it is likely to be some kind of SQL injection, which a well-coded .Net app should be protected against. So unless there is an issue with .Net's SQL Parameters, or some other part of the .Net db technologies, I fail to see how this is a "MASS ASP.NET ATTACK".