Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos

Information Security News: Botnet Installs SQL Injection Tool

Botnet Installs SQL Injection Tool

From: InfoSec News <alerts_at_infosecnews.org>
Date: Thu, 15 May 2008 02:52:24 -0500 (CDT)

http://www.eweek.com/c/a/Security/Botnet-Installs-SQL-Injection-Tool/

By Brian Prince
2008-05-14
eWEEK.com

A botnet is outfitting its army of compromised computers with a SQL
injection attack tool to hack Web sites, researchers at SecureWorks have
discovered.

According to SecureWorks, the Asprox botnet, once used solely to send
out phishing e-mails, is pushing the tool out to systems in its network
via a binary with the file name msscntr32.exe. The executable is
installed as a system service with the name "Microsoft Security Center
Extension."

Despite the name, the file is in fact a SQL injection attack tool that
when launched searches Google for .asp pages that contain certain terms.
It then launches SQL injection attacks against the Web sites returned by
the search. According to SecureWorks, the attack is designed to inject
an IFrame into the Web site that tricks visitors into downloading a
JavaScript file from the domain direct84.com.

This file in turn redirects computers to a site where additional
malicious JavaScripts are stored, although the secondary site appeared
to be down when SecureWorks first reported the attacks May 14. When
successful, however, the site installs additional copies of Asprox, the
password-stealing Trojan Danmec or the SQL attack tool.

According to a list from VirusTotal, only a handful of the major
anti-virus vendors are detecting the attack tool at this time.

"This is the first time I've seen a SQL injection tool, but certainly
other botnets have tried to spread in a similar manner, infecting Web
sites with IFrames," said Joe Stewart, director of malware research at
SecureWorks. "For instance, Storm tries to get your password if you log
in to a Web site with FTP, and will put an IFrame into the page for
you."

So far, SecureWorks has found 1,000 Web sites infected by this wave of
SQL attacks. Visitors to these infected Web sites are infected with the
Asprox malware.turning them into bots.and also download some scareware.

"We've estimated [the Asprox botnet] at around 15,000 hosts, but that
was before the wave of SQL attacks," Stewart said in an interview with
eWEEK.

Researchers are still investigating exactly what vulnerability on the
Web sites is being exploited, Stewart said. The Web sites are
English-language and their owners include law firms and midsize
businesses.

A similar attack technique is currently being seen spreading
game-password-stealing Trojans from China. Whether the tool is related
or only the attack syntax is shared, it is clear that SQL injection
attack activity is on the rise from multiple sources, Stewart wrote in
his blog.

_______________________________________________
Attend Black Hat USA, August 2-7 in Las Vegas,
the world's premier technical event for ICT security experts.
Featuring 40 hands-on training courses and 80 Briefings
presentations with lots of new content and new tools.
Network with 4,000 delegates from 50 nations.
Visit product displays by 30 top sponsors in
a relaxed setting. http://www.blackhat.com
Received on May 15 2008

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]