Wednesday, June 30, 2010

From Russia with love - asprox

Tonight i found in my RSS reader that a large amount of websites (some very popular ones in Belgium) are infected with ru/js.js.

It appears that this would come from a trojan call asprox. Originally it was spreading through spam via the Pushdo botnet but the attack vector seemed to have changed.

The new attack vector was possible thanks to SQL Injection. Rondel Mendez wrote an excellent piece about it for M86 security. It explains what de malware does.

The syscolumns xtypes it abuses are, 35 which is text, 99 which is ntext, 167 which is varchar, and 231 which is sysname. As you can see all of which can contain a string which in this case is a url to the botnet.

How to solve this? Simple fix your code, never trust user input, normalize it and check it if the values are acceptable.

Career change


I will you no longer bore you to death with SQL. I have made a career change and since this week I am working in our IT security department (Still the same company).


Friday, June 18, 2010

SQLCMD and the tempdb adventure

I had a call today from a colleague to help her out with an issue. Some customer had moved their tempdb and now she had to fix it because the SQL server instance did not come up. Since I handled such a case in the past she asked me to tell her how I've fixed it. I write this blog post because I had already forgotten a couple of things.

1. Make sure the SQL instance is stopped.
2. Activate the named pipes protocol.
3. Start the SQL instance with the -m option
4. Open a sqlcmd connection with the -e option. Sqlcmd is case sensitive so lookout when you type in the instance name (server\instance).

Thursday, June 17, 2010

Meet Joe McCray

Yesterday there was a last minute OWASP chapter meeting and 2 presentations by Joe McCray of The intro was great: Joe loves hacking, swearing and drinking rum and coke (a.k.a Cuba Libre).

The first presentation was about SQL Injection. Most things Joe talked about where things I already knew but it is always interesting to hear somebody explain how he or she does it, and yes, I've learned new things. I have been to presentations where they had prepared a VM with a vulnerable webapp but not Joe. He did his demo on a live website and enumerated all databases on the webserver. He explained in great detail what kind of injections there are and the conclusion was "Fix your shit". He demonstrated how IDS can help you but is not a silver bullet.

The most important thing I took home from this presentation is that he experienced that not everybody terminates SSL connections, normalized the input and then feeds it to the IDS ... and of course "Fix your shit" :). At the end of the evening we discussed what is the easiest way to get the stuff fixed and his experience was to get vulnerabilities classified as bug by the Quality Assurance people. I think this is a trick I will apply in the future :)

The second presentation was about Web Application Firewalls. I have no experience with application firewalls. I saw some presentations in the past and Joe confirmed what I was thinking about it. It is something to give you some time to "fix your shit" but not the solution.

Joe is coming to BruCon in September 2010 to give a session titled "You Spent All That Money And You Still Got Owned".

Tuesday, June 8, 2010

Wait a second in batch - the ping hack

If you have to wait a couple of seconds in a batch script you can use the following trick:

PING -n 11 >NULL

This will make 11 pings and by chance this takes approximately 11 seconds. If you have a better system let me know.