RSA Admin

Ampersanding Overflows and How to Detect Them

Discussion created by RSA Admin Employee on May 30, 2013
Latest reply on Jun 24, 2013 by RSA Admin

Over the past few days I've noticed a trend on UrlQuery that shows scores of Ampersanded commands in the web queries.  These ampersanded commands are intended to run a query, but by flooding the web browser with the commands it may be possible to inject an IFRAME into some browsers.  Check out this search parameters for "&amp" at UrlQuery here.

 

I visited one of these sites with an Invincea protected web browser to see if I would be exploited.  I was.  Here is the event timeline. 

 

60610

 

In this instance, a process and a local share was injected via a single pixel IFRAME.  Other sites with similar ampersanded queries lead to blackhole exploits, toolbar downloads or other malware delivery.

 

The good news is that Security Analytics / NetWitness can easily detect these ampersanded overflows.  Just create a new capture rule on the decoders.  Name the Rule "Ampersanding Overflow WebQuery"

Rule Contents are: query contains '&'

 

Good Luck and Happy Hunting!

Outcomes