|
|
||||||
| Tuesday, September 07, 2010 | News | Advisories | Partners | Support | Contact Us | |
|
|
||||||
| Home | Large Enterprise | MidSize | Small Business | Schools | Government | CERT/CIRT | Labs | Contact Us |
|
LiveSquare Security Team Advisories Return to the listing of advisories LSST [2008.21.141.1019] Robot User Creator Stopped by simple, non-graphical, Captcha style, key System administrators may have noticed a bot originating traffic from the pacific rim registering several accounts per week in their systems. This bot may intend to use the registered accounts for a future based attack. The bot is very sophisticated and is sensitive to hidden values on forms. Additionally, the bot is capable of loading a form, getting its values, and then submitting a false registration based on generic names and/or random letters. Interestingly, the bot seems to use any Javascript present to identify required fields. Many web applications assume that registered users are more trustworthy. Therefore, security systems are typically scaled back once a user has authenticated. It is believed this bot is working to generate a massive number of registered user accounts for a future DDoS or perhaps a SQL Injection / XSS variant. Some of the distinctive characteristics of this bot registrations is that it fills in the fields with popular names such as Biker D. Biker, or in address fields, uses randomized letters such as 454 l. aSKdsaKDsddsk. It is also important to note that many of the email addresses used for logins are valid email addresses. It is our recommendation that administrators check their databases for these types of registrations. If any are found, we recommend changing the passwords rather than deleting the accounts. If your system allows you to flag user logins, then these accounts should also be flagged to notify someone when an attempt to use them is made. To prevent further bot based registrations we recommend the following; 1) Use a simple user key entry that is randomly generated (3 digits works fine). Do not store the key value in the form itself. Rather, put it in text on the screen. For example; Please enter the following three digit code into the box on the right. [KEY] 2) Make sure that nothing validates the key code on the client side. Therefore, no JavaScript, and no .Net client side validation. 3) Store the key in a session value on the server side. 4) Validate the key code on the form submission. Although the code is easily seen and likely easily parsed, the bot currently lacks the sophistication to handle this type of validation. Our team has been working on methods to defeat this bot for the past month and have now verified this solution works. |
| Home | Large Enterprise | MidSize | Small Business | Schools | Government | CERT/CIRT | Labs | Contact Us |
