Asprox Botnet Attacks Come Back

By Matthew Hines  |  Posted 2009-10-06 Print this article Print

The Asprox family of SQL injection attacks that attempt to loop users' machines into a well known botnet have surged again, victimizing people who visit Web sites that have been infected with its propagation agents.

Asprox has begun to swell again in recent weeks, repeating a pattern of on-again off-again growth, experts note.

And while security researchers aren't particularly blown away by the sophistication of the attacks, the Asprox threat's ability to infect large numbers of Web sites with its malicious iframe content makes it such that the campaign is likely to continue for a while until people begin more actively seeking to protect themselves against it, or its owners decide to throttle back again, observers maintain.

Over the last several years we've seen an increase in such behavior, as botnet masters fluctuate the size of their zombie armies either to enlist new machines to carry out malicious activities, or shrink them again to avoid more aggressive pursuit by the IT security community.

Like typical street criminals who cut back on their work to "cool off" attention from law enforcement or rival gangs, the technique does appear to be working, as evidenced by the long-running resiliency of Asprox and some of its older brethren.

"While Asprox is a fairly dumb SQLi agent compared to some of the other botnet operations out there today, it's more than sufficient to be successful against many thousands of vulnerable Web applications," said Gunter Ollman, vice president of research with anti-botnet specialists Damballa, in a recent blog post. "It's not a particular intelligent nor advanced attack, but it tends to get the job done."

What makes Asprox rather unintelligent, compared to some newer SQL injection-driven zombie networks, is the manner in which it targets vulnerable Web sites to expand its reach, the expert said.

Asprox "launches a barrage" of SQL injection attempts against any vulnerable Web sites and servers that it finds online, seeking any way that it can find a way to compromise the assets based on the software that supports them.

In the end this results in the attack going after the same random Web sites repeatedly. However, newer attacks have become more effective in terms of finding larger numbers of potentially vulnerable URLs and assailing them in a manner that is more likely to get the botnet masters the additional bandwidth they seek to add to their networks, Ollman said.

"Newer, more intelligent SQLi-oriented botnets do it a little different and are more efficient in their attacks," said Ollman. "[They] take a more coordinated stance in their attacks, making better use of the command and control (CnC) infrastructure to eliminate duplicated efforts."

The more advanced technique of Blind SQL injection is also getting more usage as botnet agents scripting interfaces mature.

So, older botnets like Asprox are still getting the job done, and newer, smarter botnets are getting more sophisticated quickly.

That's not exactly good news in terms of slowing the spread of zombie networks.

At least Halloween is now only just a few weeks away.

Follow eWeek Security Watch on Twitter at: eWeekSecWatch.

Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to |

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel