Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

5/14/2008
09:22 AM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Bots Use SQL Injection Tool in New Web Attack

Phishing botnet Asprox uses zombies to infect Websites, recruit more bots

A little-known botnet has put a different spin on the recent wave of SQL injection attacks on thousands of Websites: It’s outfitting its bots with its own tool to launch SQL injection attacks on vulnerable sites. (See Third Wave of Web Attacks Not the Last.)

The Asprox botnet, a relatively small botnet known mainly for sending phishing emails, has been spotted in the last few days installing an SQL injection attack tool on its bots. The bots then Google for .asp pages with specific terms -- and then hit the sites found in the search return with SQL injection attacks, says Joe Stewart, director of malware research for SecureWorks, who has documented his findings on the attack.

Stewart says the Asprox botnet’s SQL injection attack is likely a copycat of the recent SQL injection Website attacks from China, which deliver a Trojan that steals online gaming passwords. But this is the first SQL injection attack Stewart has seen using a botnet and a toolkit to do the dirty work. Asprox so far has infected over 1,000 Websites this way, he says.

“I’ve seen bots get other types of infection tools, but not SQL injection” tools, Stewart says. “It’s almost like they noticed the Chinese[-based] attack and copied their code into their own binary for their own attack... The hacks are so similar to the way the other SQL injection attacks are going.”

The attack injects an iFrame into the Website, which then infects visitors with a malicious JavaScript file from the “direct84.com” domain.

Several researchers, including IBM ISS’s X-Force team and Fortify Software, have witnessed copycat SQL injection Website attacks in recent days. “These [SQL injection Website attacks] are not orchestrated together. They are very opportunistic,” says Jacob West, manager of the security research group at Fortify.

Asprox, meanwhile, is also recruiting new bots in its attack -- when a user visits a site infected by Asprox via SQL injection, he or she ends up infected with Asprox botware. Unbeknownst to the user, his or her, machine could, in turn, receive a download of the SQL injection toolkit to continue the cycle. “This has potential to spread like a worm,” Stewart says.

“Its purpose is to infect Websites, and then recruit more bots,” he says. SecureWorks had Asprox at about 15,000 bots last month, but is recounting the botnet to see how much this new attack vector is expanding the botnet. (See SecureWorks Unveils Research on Spamming Botnets.)

Asprox has also thrown in some “scareware” for good measure. “It sends out its spam, but also... posts a warning that there’s spyware found on your computer, [so you should] download this to get rid of it,” Stewart says. “You have to pay for it, so they get your credit card information, too. It’s some additional income on the side,” although the scareware appears to be handled more by an affiliate than by Asprox itself, he says.

Why this particular botnet-borne SQL injection attack? “It’s a new attack vector. It gives them a way to expand their gene pool” and to get a lot bigger, Stewart says. “If you’re a spamming botnet and you spread mainly by emailing links to get users to click on them, you’re always limited to the pool of email addresses you’re already spamming.

“This gives you a fresh set of bots,” he says.

Stewart says Asprox operators are trying to expand the botnet to compete more strongly with others for a piece of the action. “This botnet is emerging and trying to compete,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • SecureWorks Inc.
  • Fortify Software Inc.
  • IBM Internet Security Systems

    Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    News
    Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
    Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
    Edge-DRsplash-10-edge-articles
    Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
    Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
    News
    Cybercrime Groups More Prolific, Focus on Healthcare in 2020
    Robert Lemos, Contributing Writer,  2/22/2021
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Write a Caption, Win an Amazon Gift Card! Click Here
    Latest Comment: "The truth behind Stonehenge...."
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    Building the SOC of the Future
    Building the SOC of the Future
    Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2021-27886
    PUBLISHED: 2021-03-02
    rakibtg Docker Dashboard before 2021-02-28 allows command injection in backend/utilities/terminal.js via shell metacharacters in the command parameter of an API request. NOTE: this is NOT a Docker, Inc. product.
    CVE-2016-8153
    PUBLISHED: 2021-03-02
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
    CVE-2016-8154
    PUBLISHED: 2021-03-02
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
    CVE-2016-8155
    PUBLISHED: 2021-03-02
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.
    CVE-2016-8156
    PUBLISHED: 2021-03-02
    ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: The CNA or individual who requested this candidate did not associate it with any vulnerability during 2016. Notes: none.