Devastating hacker attack from China with silent love


21 May 2008

A potentially devastating virus understood to have originated in China is sweeping the internet, automating websites to release sensitive password information about their users.

So far 9,000 western websites have been affected, unbeknownst to their owners.

The industrialised cyber attack, dubbed ‘Silent Love China’, uses a technique known as SQL injection, to place a piece of code known as an iFrame on a content-heavy website, which gathers username and passwords for information thieves.

“What happens with this type of attack is rather than destroy a website, the hacker plants a code using SQL injection,” explains Damian Saunders, manager of Citrix’s applications networking group.

“It effectively issues a number of characters called an SQL string into a field that accesses the SQL database and returns the information back to the hacker or puts it into the iFrame. An iFrame is an HTML document that sits hidden inside the website.

“The virus doesn’t threaten the owner of the site, it threatens the user,” Saunders explained.

The attacks are understood to threaten vulnerabilities in Internet Explorer and RealPlayer and the attacks lead to the installation of a password stealing Trojan Horse programme with the phrase ‘Silent Love China’ buried in the exploit code.

Saunders said it is primarily content-heavy sites such as those owned by media companies which require username and password login details that are mostly threatened by the attack.

Under threat in particular are Web 2.0 sites with multiple web applications running.

“The problem with this kind of attack is that site owners need to adapt the security of the site almost as continually as the content changes on the site. This can be frustrating. Firms that want to protect themselves and their users from this kind of attack should look to infrastructure-based solutions and make sure their web applications are properly firewalled.”

Web-app firewalling has recently been mandated by the PCI Security Standards Council, which is adhered to by most top-tier e-commerce sites like Amazon.com and eBay.

“But the interesting thing about this attack is that the majority of sites affected are not e-commerce sites, only sites that provide content.

“The other thing that’s different about this attack is that most SQL injection attacks are done on a one-on-one basis. One hacker, one website. This time round, it seems to be an industrial-type attack simultaneously hosted at several malware addresses.

“The bottom line is if you want your content to remain dynamic, deploy an infrastructure that will firewall your web applications,” Saunders warned.

By John Kennedy