The Asprox botnet is sending out more than just phishing e-mailsit is now spreading a SQL injection attack tool.A botnet is outfitting its army of compromised computers with a SQL
injection attack tool to hack Web sites, researchers at SecureWorks have
discovered.
According to SecureWorks, the Asprox botnet, once used solely to send out
phishing e-mails, is pushing the tool out to systems in its network via a
binary with the file name msscntr32.exe. The executable is installed as a
system service with the name "Microsoft Security Center Extension."
Despite the name, the file is in fact a SQL injection attack tool that when
launched searches Google for .asp pages that contain certain terms. It then launches
SQL injection attacks against the Web sites returned by the search. According
to SecureWorks, the attack is designed to inject an IFrame into the Web site
that tricks visitors into downloading a JavaScript file from the domain
direct84.com.
This file in turn redirects computers to a site where additional malicious
JavaScripts are stored, although the secondary site appeared to be down when
SecureWorks first reported the attacks May 14. When successful, however, the
site installs additional copies of Asprox, the password-stealing Trojan Danmec
or the SQL attack tool.
When researchers have the power to seize control of botnets, should they? A recent discovery triggers ethical debate. Click here to read more.
According to a list from VirusTotal, only a handful of the major anti-virus
vendors are detecting the attack tool at this time.
"This is the first time I've seen a SQL injection tool, but certainly
other botnets have tried to spread in a similar manner, infecting Web sites
with IFrames," said Joe Stewart, director of malware research at
SecureWorks. "For instance, Storm tries to get your password if you log in
to a Web site with FTP, and will put an IFrame into the page for you."
So far, SecureWorks has found 1,000 Web sites infected by this wave of SQL
attacks. Visitors to these infected Web sites are infected with the Asprox
malwareturning them into botsand also download some scareware.
"We've estimated [the Asprox botnet] at around 15,000 hosts, but that
was before the wave of SQL attacks," Stewart said in an interview with
eWEEK.
Researchers are still investigating exactly what vulnerability on the Web
sites is being exploited, Stewart said. The Web sites are English-language and their
owners include law firms and midsize businesses.
A similar attack technique is currently being seen
spreading game-password-stealing Trojans from China. Whether the tool is related or only the attack syntax
is shared, it is clear that SQL injection attack activity is on the rise from
multiple sources, Stewart wrote in his blog.
| | Reader Comments: Botnet Installs SQL Injection Tool | | >>> Post your comment now!
| | Re:Here is the referenced list from VirusTotal from May:
http://www.virustotal.com/analisis/d7d5aa4b4b6e56e060b695f986f709a4
Whether or not it is... Posted At: 08-29-08
By: Brian Prince, eWEEK | | | | | | Well, for starters only a [i]handful[/i] of antivirus tools can successfully detect the malware, you say? Do tell!
As in, do tell us [i]which [b]ones[/b][/i],... Posted At: 08-29-08
By: COMALite J | | | | | | re:Hi. Can you be more specific? What would you like to know that's not in there? Thanks. Posted At: 05-19-08
By: Brian Prince | | | | | | | | | | | | A user comment on this articleHello, this is Brian Prince at eWEEK. Are you concerned that this botnet activity could infect your business site? Posted At: 05-14-08
By: Brian Prince | | | | | | >>> Post your comment now! | | | | | |
|
Network Security & Hardware 
