Fast-Fluxing SQL injection attacks executed from the Asprox botnet
The botnet masters behind the Asprox botnet have recently started SQL injecting fast-fluxed malicious domains in order to enjoy a decent tactical advantage in an attempt to increase the survivability of the malicious campaign. I first assessed the Asprox botnet in January, and again in April when it started scaling and diversifying its campaigns from fake Windows updates, to fake Yahoo ecards, as well as executable news items.
The botnet masters behind the Asprox botnet have recently started SQL injecting fast-fluxed malicious domains in order to enjoy a decent tactical advantage in an attempt to increase the survivability of the malicious campaign. I first assessed the Asprox botnet in January, and again in April when it started scaling and diversifying its campaigns from fake Windows updates, to fake Yahoo ecards, as well as executable news items. A botnet crunching out phishing emails and spam as usual? Depends on the momentum. Automating the process of SQL injecting a large number of sites is one thing, SQL injecting fast-fluxed domains is entirely another. Secureworks comments on the introduction of the SQL injection tool within the botnet :
Now comes the fast-flux. The latest massive SQL injection attack courtesy of the Asprox botnet, is this time using the banner82 .com domain which continues to be in a fast-flux mode, namely, it's simultaneously hosted at ten different malware infected IPs, with the IPs constantly changing. Let's illustrate this by taking a look at the changing IPs responding to the same domain within a period of 24 hours :
What is the objective of the latest SQL injection attack launched by the Asprox botnet? It's infecting new hosts to be added to the botnet. Banner82 .com has a tiny iFrame that's attempting to load dll64 .com /cgi-bin/index.cgi?admin where the NeoSploit malware exploitation kit is serving MDAC ActiveX code execution (CVE-2006-0003) exploit.
Here are sample fast-fluxing DNS servers used by banner82 .com, as well as a sample internal fast-flux structure used by the botnet:
The screenshots speak for themselves, and for the infrastructure they've managed to build using the malware infected hosts to send scams, host the scam domains, infect new hosts, scan for vulnerable sites, SQL inject them and host the live exploit URls within. And with the introduction of fast-flux whose infrastructure is provided by the botnet's infected population, and automating the SQL injection process, the Asprox botnet is slowly turning into a self-sustaining cybercrime platform.