The trend toward large-scale attacks against Web sites through the use of SQL injection is continuing, as experts at both the SANS Internet Storm Center and Shadowserver Foundation are tracking a newly discovered SQL injection worm that appears to be exploiting a RealPlayer flaw and dropping malware on vulnerable sites. The attacks are focusing on ASP pages and are using the familiar iFrame exploitation method that has been involved in a number of the recent mass SQL injection attacks. After a successful exploitation of a vulnerable PC, the infected Web site installs a binary on the user’s PC. The analysis of the attack done by the folks at Shadowserver shows that the binary is named “test.exe” and is just one link in a long chain of downloaders and malware.

“This binary that is download by this attack appears to be part of a kit we have seen in the Chinese malware family for some time now. The first thing this malware does once installed is download a configuration file. This configuration file has several commands and tells the system what to do next. In our instance it [tells it] to download yet another file and to report in to a URL,” the Shadowserver analysis says.

Fun for the whole family. Shadowserver also has a good list of some of the malicious sites and IP addresses that are serving the malware, for your filtering pleasure.

Users of social networking sites may be irritated to find that an increasing number of invitations to be a friend or contact turn out to be ads.

Spammers are turning their attention to social networking sites to hawk their products, according to Cloudmark, a messaging security company. As email antispam technology has improved, spammers have branched out to other areas, said Adam O’Donnell, director of emerging technology at Cloudmark. “The social networking side provided a fertile ground for spammers,” he said.

Junk emailers are using multiple messaging vectors available on social networking sites, including direct messaging to friends, bulletin board posts and profiles, O’Donnell said. For example, a spammer will create a profile, which includes a link to a porn or dating site, then invites a bunch of people to be their friend or contact.

In a recent six-month period, Cloudmark tracked a 300 percent increase in spam on a large social networking site that it works with. Also, at several major social networking sites, about one-third of new accounts created are fraudulent, designed for spam and other attacks, the company said.

On Monday, Cloudmark released what it said was the only commercial product to combat spam, phishing and other attacks on social networks. Cloudmark Authority for Social Networking Providers, which extends Cloudmark’s carrier-grade platform, is designed to protect all communication channels on a social networking site. The company said the technology has been deployed at one of the largest social networking sites, but wouldn’t identify it.

There’s no spam filter that end users can deploy to protect themselves on social networking sites, O’Donnell said. Some sites like LinkedIn are used as business tools, he said, adding, “If it came to a point on social networks where 80 percent of inbound content is spam, they’re no longer a useful business tool.”

Jamz Yaneza, a senior threat researcher at Trend Micro who uses several social networking sites including Facebook and MySpace, said he’s noticed an increase in friend invitations that push products. There have been a lot of exploits against social networking sites, he said, citing last year’s hack of singer Alicia Keys’ MySpace page.

Paul Ferguson, also a threat researcher at Trend Micro, said the growth of users on social networking sites “far outpaces their ability to keep the platform secure.” He added, “The back-end mechanisms that allow the interactivity also allow people to use them for malicious purposes.”

If you’ve been dying to get your hands on Microsoft’s NAP (Network Access Protection) technology, but just somehow haven’t gotten around to deploying Vista yet, today is your lucky day. Microsoft released Service Pack 3 for Windows XP today and one of the major components of the massive update is NAP, the company’s network access control system. However, you do need to be running Windows Server 2008 in order to use the NAP capability. Along with NAP, SP3 also includes every update, security-related and otherwise–that Microsoft has released since it pushed out SP2 in 2004.

There are a handful of other security updates included in SP3, and Microsoft has a good description of all of the new features in Windows XP SP3. Here are some highlights:

• IPSec Simple Policy Update for Windows Server 2003 and Windows XP. This is a tool to help simplify the creation of IPSec filters.
• Digital Identity Management Service. This allows users on any PC that’s a member of a domain to access all of their digital certificates and encryption keys for applications and services on that domain.
• Support for the WPA2 wireless security standard.
• Black hole router detection turned on by default.

The other major news with Windows XP SP3 is the fact that it does not include Internet Explorer 7. Some users have complained about IE 7 being pushed to their PCs as a critical update and Microsoft even went so far as to release a special toolkit to block the delivery of the browser last year. For users who don’t update their machines regularly, SP3 is a good opportunity to get back on the right track all at once.

In this interview conducted last month at RSA Conference 2008, security expert, Howard Schmidt says the federal government’s goal to reduce its nearly 2,000 domain access points to 50 by Fall 2008 is too aggressive and questions whether the government will reach its goal. Schmidt also explains how an unstable economy could affect IT security budgets and whether enough security talent exists to defend critical systems.

Anonymizer, the pioneering online privacy company, was acquired Thursday by a highly specialized national-security technology provider. Anonymizer began in 1995 as a provider of technology to help consumers, and later enterprises, protect their identities online. The company has a variety of products now that enable users to avoid spam, surf Web sites anonymously and protect their email addresses. It is probably best known for its Anonymous Surfing product, which redirects users’ Web traffic through a proxy, hiding their actual IP addresses. But it also offers products that provide users with disposable email addresses and offerings for enterprises that enable executives to check out competitors’ sites anonymously.

The company acquiring Anonymizer, Abraxas, is a provider of technology and risk management services to the national security community and was founded by Richard H. Helms, a former CIA officer (no relation to Richard M. Helms, former director of CIA). The two companies, both based in San Diego, already share some similarities. Lance Cottrell, the founder and chief scientist at Anonymizer, is also chief scientist at Abraxas. Abraxas’ board of advisers includes former DHS secretary Tom Ridge, and Alan Wade, the former CIO of CIA.

There has been a lot of interesting work going on in the research community of late on a handful of really specialized and esoteric application attacks, like Mark Dowd’s NULL pointer attack and David Litchfield’s lateral SQL injection technique. These two methods have a few things in common, specifically the fact that they both exploit things that were thought to be unexploitable. One other similarity is that some people seem to be dismissing these techniques as theoretical or purely academic thought exercises that will never see the light of day. Proponents of this line of thinking say that enterprises don’t need to worry about crazy, multi-step attacks that are hard to understand. It’s things like buffer overflows and worms that really need your attention, they say.

This is, ah, how should I put it, ridiculous. These new attacks are exactly the kind of things that should worry you if you’re charged with protecting a corporate network. Hackers pay good money for reliable attack methods like this, particularly when they are brand new and not well understood. Security specialists know what a buffer overflow attack looks like, and there are any number of products out there that are capable of stopping these attacks. But the complex techniques like Litchfield’s and Dowd’s are the ones that find the cracks in network defenses and by the time they’re recognized for what they are, it’s game over. And who’s to say that some hacker in the Ukraine or Brazil or China hasn’t been using the same techniques for months?

Sure, worms and viruses and phishing are still threats, but to ignore new attacks because they look difficult or complex is foolish at best and negligent at worst.

The Web now hosts an “unprecedented” number of threats, according to a report recently released by Sophos. In the first quarter of this year, Sophos researchers discovered a newly infected Web page every five seconds, three times more than last year.

What’s especially unsettling is that a whopping 79% of these sites are legitimate ones that have been hacked. Sophos cites a March attack on a European soccer ticket site that tried to infect visitors’ computers and a February attack on UK broadcaster ITV that targeted Windows and Mac users. The top two malware threats found on the Web, Mal/Iframe and Mal/ObfJS, are used by criminals to infect Web sites by exploiting vulnerabilities, according to Sophos, a maker of antivirus software and other products.

The U.S. was the top country hosting Web-based malware in the first quarter. This year, it was responsible for hosting 42% of infected websites, up from last year, when it hosted less than 25%.

But while the number of infected Web pages is up this year, Sophos researchers tracked a decrease in the number of infected emails. One in every 2,500 emails was infected, a 40% drop from last year. Instead of sending a malicious attachment, criminals are sending links to compromised websites.

We’ve seen the protests in the streets, but now MessageLabs is warning that it has tracked 13 Olympic themed attacks, designed to spread malware and ultimately steal data.

The attacks are originating from IP addresses in Asia, but there’s no surprises here. The attackers are using social engineering to trick end users into clicking on a malicious link in an email message.

I was in San Francisco, attending RSA Conference 2008 when the Olympic torch was carried through the streets. All the security detail had to do to avoid protestors was to change the running route at the last minute. Unfortunately there’s no real “safe zone” in cyberspace.

Messages are being sent with legitimate-sounding subject titles such as “The Beijing 2008 Torch Relay” and “National Olympic Committee and Ticket Sales Agents,” MessageLabs said. Some attacks purport to be from the International Olympic Committee, based in Lausanne Switzerland.

Let’s be honest here, these guys aren’t protesting the Beijing Olympics, they’re trying to steal identities and make a quick buck. They’re also doing a good job staying under the radar, according to MessageLabs. They’re using Microsoft Office Database (MDB) files–usually hidden within a ZIP files–in order to avoid detection by traditional antivirus engines.

Secure Computing today named Daniel Ryan as interim CEO. He replaces John McNulty, who served as board chairman and CEO since 1999.

Ryan has served as the company’s president and chief operating officer since last August. Richard Scott, a Secure Computing board member since January 2006, was appointed chairman. McNulty will continue as a board member.

The San Jose-based vendor, which makes Web security gateways and other products, didn’t explain why McNulty is stepping down. A call to a company press contact was not immediately returned.

McNulty’s tenure included Secure Computing’s $274 million acquisition of email security vendor CipherTrust in 2006, which closely followed its $295 million acquisition of CyberGuard. Scott was a CyberGuard board member.

IBM’s X-Force security research team and IBM Research are studying ways to protect virtual computing environments. Code named Phantom, the research project has been ongoing and could result in new products and best practices designed to leverage the hypervisor to improve security. In this interview at RSA 2008, Joshua Corman, principal security strategist with IBM’s ISS team, explains Project Phantom and how IBM says it could help alleviate some of the risks associated with virtual environments.