Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Fast-Fluxing SQL injection attacks executed from the Asprox botnet

Summary: The botnet masters behind the Asprox botnet have recently started SQL injecting fast-fluxed malicious domains in order to enjoy a decent tactical advantage in an attempt to increase the survivability of the malicious campaign. I first assessed the Asprox botnet in January, and again in April when it started scaling and diversifying its campaigns from fake Windows updates, to fake Yahoo ecards, as well as executable news items.

SHARE:
16

The botnet masters behind the Asprox botnet have recently started SQL injecting fast-fluxed malicious domains in order to enjoy a decent tactical advantage in an attempt to increase the survivability of the malicious campaign. I first assessed the Asprox botnet in January, and again in April when it started scaling and diversifying its campaigns from fake Windows updates, to fake Yahoo ecards, as well as executable news items. A botnet crunching out phishing emails and spam as usual? Depends on the momentum. Automating the process of SQL injecting a large number of sites is one thing, SQL injecting fast-fluxed domains is entirely another. Secureworks comments on the introduction of the SQL injection tool within the botnet :

"As of yesterday, we observed the Asprox botnet pushing an update to the infected systems, a binary with the filename msscntr32.exe. The executable is installed as a system service with the name "Microsoft Security Center Extension", but in reality it is a SQL-injection attack tool. When launched, the attack tool will search Google for .asp pages which contain various terms, and will then launch SQL injection attacks against the websites returned by the search. The attack is designed to inject an iframe into the website source which will force visitors to download a javascript file from the domain direct84.com. This file in turn redirects to another site, where additional malicious javascript can be found. Currently the secondary site appears to be down, however it is likely that when successful, the site attempts to exploit the visitor's web browser in order to install additional copies of either Danmec, Asprox and/or the SQL attack tool."

Now comes the fast-flux. The latest massive SQL injection attack courtesy of the Asprox botnet, is this time using the banner82 .com domain which continues to be in a fast-flux mode, namely, it's simultaneously hosted at ten different malware infected IPs, with the IPs constantly changing. Let's illustrate this by taking a look at the changing IPs responding to the same domain within a period of 24 hours  :

Fast Flux SQL Injection

Fast Flux SQL Injection

Fast Flux SQL Injection

Fast-flux has been extensively researched by the Honeynet Project, whose research into the topic greatly illustrates single and double-fluxed networks, with the Storm Worm acting as a personal benchmark for the true dynamic nature of fast-flux networks. Fast-flux was embraced by the malicious parties around the middle of 2007, when managed fast-flux providers appeared, and more spam and phishing domains were set in a fast-flux mode. Fast-fluxing SQL injected domains is, however, a new tactic, so you have a botnet of infected hosts that automatically scan and inject malicious domains within vulnerable sites, and the malicious domains themselves part of a fast-flux network provided by the botnet's infected population, that are also hosting and sending the phishing campaigns.

What is the objective of the latest SQL injection attack launched by the Asprox botnet? It's infecting new hosts to be added to the botnet. Banner82 .com has a tiny iFrame that's attempting to load dll64 .com /cgi-bin/index.cgi?admin where the NeoSploit malware exploitation kit is serving MDAC ActiveX code execution (CVE-2006-0003) exploit.

Here are sample fast-fluxing DNS servers used by banner82 .com, as well as a sample internal fast-flux structure used by the botnet:

exportpe .net ns1.exportpe .net ns2.exportpe .net ns3.exportpe .net ns4.exportpe .net ns5.exportpe .net ns6.exportpe .net ns7.exportpe .net ns8.exportpe .net

Fast Flux SQL Injection

cookie68 .com ns1.cookie68 .com ns3.cookie68 .com ns4.cookie68 .com ns4.cookie68 .com ns6.cookie68 .com ns7.cookie68 .com ns8.cookie68 .com

Fast Flux SQL Injection

ns1.ns2.ns4.ns1.ns7.ns8.ns1.ns4.ns6.ns3 .aspx88.com ns1.ns2.ns4.ns6.ns7.ns7.ns3.ns2.ns5.ns1 .aspx88.com ns1.ns2.ns5.ns1.ns7.ns8.ns2.ns5.ns4.ns3 .aspx88.com ns1.ns1.ns5.ns2.ns7.ns8.ns1 .bank11.net ns1.ns1.ns5.ns2.ns8.ns7.ns4 .bank11.net

Fast Flux SQL Injection

The screenshots speak for themselves, and for the infrastructure they've managed to build using the malware infected hosts to send scams, host the scam domains, infect new hosts, scan for vulnerable sites, SQL inject them and host the live exploit URls within. And with the introduction of fast-flux whose infrastructure is provided by the botnet's infected population, and automating the SQL injection process, the Asprox botnet is slowly turning into a self-sustaining cybercrime platform.

Go through a related assessment if you're interested in knowing more about the geographic locations of the infected hosts used in a sample SQL injection attacks, as well as related comments on the use of botnets to launch SQL injection attacks.

Topics: Malware, Security, Software

Dancho Danchev

About Dancho Danchev

Dancho Danchev is an independent security consultant and cyber threats analyst, with extensive experience in open source intelligence gathering, malware and cybercrime incident response.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Exfiltration?

    Dancho, are you seeing any exfiltration of data through these mass SQL Injection attacks? I have a few clients who have been hit as well.

    -Nate
    nmcfeters
    • Nate, which platforms are vulnerable?<NT>

      .
      fr0thy2
    • Re: Exfiltration?

      Well, the vulnerable sites are used as infection vectors, so whoever visits gets infected, then it's all a matter that they serve on a per campaign basis. In this case, the infected hosts start sending out phishing emails, but this could have already changed given they have access to the hosts.
      ddanchev
  • <iframe </iframe

    OK just be safe, we're going to filter all sql data to remove all forms of [<iframe] [</iframe] [text][&xx;][%xx] from we already filter out [<script] [</script]
    dragon@...
  • Where are the Developers???

    Unbelievable!!! XP running on OLPC gets how much chatter?

    Information on One of the more important web based developments / security threats and where are they? Where are the Developers? Perhaps there are only a very few on this site. How sad.

    Has the Software Development Community somehow become a bunch of Fan Boys and Zealots?
    How does software become religion?
    When in this day and ago, did software security become less important than how someone chooses to make money from software?

    When is a fact a fact?
    When does fiction become a fact?
    And how old and disused must a fact be, to become relegated the category "fairy tail"?

    From now on We're taking a direct email from Dancho Danchev site. Security being of concern here.
    dragon@...
    • Is there a fix for .asp pages?

      Does anyone have a fix to prevent them in the 1st place...We have an .asp site
      chugh97
  • RE: Fast-Fluxing SQL injection attacks executed from the Asprox botnet

    sql injection is caused by this kind of code

    ASP:

    dim rs = new recordset("SELECT somecolumn FROM sometable WHERE id=" & request.querystring("id"))

    This is vulnarable to sql injection as the request.querystring is directly used into SQL

    The solution is to replace all request.querystring("id") to replace(request.querystring("id"),"'","''")

    The ' is replaced with ''.

    That will work. Better use a wrapper function to achieve this.

    Another aproach is to use a db_reader account for your website instead of dbowner


    Kind regards, Nico Lubbers
    nico.lubbers@...
    • Still getting through.

      I have always used Replace(),"'","''") in all my fields, and yet this thing is still getting through. I even went so far as filtering out anything to do with www.banner82.com/b.js but now it has changed to www.adw95.com/b.js so i now have that filtered out. it is only effecting 1 table in my database [there are 3 that are public writable] and yet every other day a new one pops up. I can't find anywhere in my code this is being allowed through. I'm just wondering if it has to do with the fact I am using an RTE with that particular table. I've tried even limiting the updates to a few specific ip's but that doesn't help either. what am I doing wrong :(
      TheQuestor
      • Quick fix, Long fix

        I have always used Replace() for single quotes too and this attack caught me off guard... I think the safest long-term thing to do (if you don't want to do a major code re-write), and if it's not too hard based on your app, is to turn all your inline SQL code into stored procedures, then take ALL the rights away from SQL account you use from the website, and grant EXEC rights for each stored procedure to that user, but nothing more.

        A quick fix in the meantime is to add to your string input scrub routine, replacing semi-colons with an empty string (if you don't need to store any data containing semi-colons) - that will block the current attacks.
        yoshimi
      • Same concern here

        TheQuestor, I'm having the exact same issue in that only 1 table is being affected. I've implemented a bunch of protective measures but it's still happening. I'm also wondering if it is due to the fact that fckeditor is part of a form (which is secured and requires authentication to access)...perhaps one of the users has an infected PC and the script is being injected via the RTE. Did you mean rich-text editor when you said RTE? Have you been able to get to the bottom of this? Thanks for your help.
        zkampel
        • Another approch

          I agree that stored procedures is most safe instead of inline sql.

          Also take the following in account:
          Add the replace-function on *every* input, (even on integer fields and YES! even on cookie values, as sql-injection is also possible on the request.cookies)

          Another approach is to "destroy" certain SQL keywords:

          replace(request.querystring("id")," insert ","&amp;nbsp;insert&amp;nbsp;")

          replace(request.querystring("id")," select ","&amp;nbsp;select&amp;nbsp;")

          replace(request.querystring("id")," delete ","&amp;nbsp;delete&amp;nbsp;")

          etc with (FROM, TABLE, WHERE, TRUNCATE, DROP)

          Somehow this must be the key to success... (it helped with my site)....

          Furthermore: be sure to have your database behind a firewall.

          Success, Nico Lubbers
          nico.lubbers@...
  • RE: Fast-Fluxing SQL injection attacks executed from the Asprox botnet

    hmmm, the replace was with & NBSP ;, but zdnet does not show that. What i meant was:

    replace(request.querystring("id")," UPDATE ","&amp;nbsp;UPDATE&amp;nbsp;")

    Nico
    nico.lubbers@...
  • Sentinel IPS defends these attacks

    We are a large county government and seeing up to 6,000 blocked networks in a day from Asprox on just one of our many Sentinel appliances. They can help consult you in cleaning your database and auditing your security but please look into Sentinel IPS http://www.econet.com for $299/m it is small price for peace of mind
    offroadgreg
  • Block this on a Cisco Router

    Hi All,

    Due to the large amount of this type of traffic we are seeing, we have written a guide for blocking this on a Cisco Router. This can be useful if you do not have another Security Device:

    http://cisconews.co.uk/2008/07/09/asprox-sql-injection-attacks-block-them-using-a-cisco-router/

    Let me know your thoughts. Obviously the class-map can be evolved to include other strings.

    Cheers,
    Rich79
  • RE: Fast-Fluxing SQL injection attacks executed from the Asprox botnet

    This virus took my site offline for 3 weeks and I had to seek an internet security company to fix my site.

    It cost me ??50 but well worth it after the hastle I have had!!

    Hope this helps others:
    http://www.firestorm-online.com/trojans/asprox/
    thebeanieman
  • Automatic Web Site Defacement via ASPROX

    Read more and download two free tools:

    1) Injector - proof-of-concept tool to test web sites
    2) dotDefender - software solution to protect your web site

    All in my blog at:

    http://chaptersinwebsecurity.blogspot.com/2008/07/asprox-silent-defacement.html

    Raviv
    ravivr