Asprox returns: fast-flux SQL injection attack
A few weeks ago M86 Security noted that the Pushdo botnet effectively appeared to be recruiting for the Asprox botnet. A couple of years earlier Asprox had been involved in a SQL-injection fast-flux attack, but has since been, if not quiet, at least under the radar.
A couple of weeks ago, however, M86 started to receive reports of large numbers of infected IIS/ASP websites; and they began to suspect that Asprox had returned. This was confirmed when they discovered a new version of Asprox launching both SQL injection and spam attacks. Once again, Asprox is using fast-flux domains to deliver the malware; and M86 discusses the new attack in some detail on its blog. It works like this: an Asprox bot downloads an encrypted XML file that includes a list of potential target websites along with data that would allow a Google search for other potential targets. It also, of course, includes the SQL code to infect the target sites. The aim is to infect those sites so that they in turn will infect visitors to the infected pages.
“When we originally drafted that blog entry,” Bradley Anstis, VP, Technical Strategy at M86 Security, told me, “we identified around 1000 sites that had already been infected or injected with the script. But by the time we were going through our review process, we checked again, and it had gone up to 2000; and when we actually posted the report, it was at 5000. Early this morning when I checked, it had risen to 11,000 and it’s growing extremely quickly.” As we spoke I asked him to check again and was told that it had now reached 13,800 infections. By the time you read this, it will be considerably more.
“It all comes down to a spambot called Asprox which we first reported on in 2008. Then it, well, went to sleep; it wasn’t even registering in our email traps. But back in May this year we noticed activity – it was like someone had found this thing and plugged it back in to see what it did. And all of a sudden we started seeing traffic starting up again from the Asprox spambot.” At the moment, we can only conjecture about what’s going on. Has a new gang taken over Asprox? Did they hire Pushdo, “which,” adds Bradley, “has to be the most prevalent spambot we’ve ever seen”, to help increase the size of their botnet? Is the same gang now behind both botnets? Certainly something has changed. “Before,” says Bradley, “Asprox was primarily a spammer. Now it’s infecting websites, and that’s a big difference in terms of how serious a botnet really is.”
I asked Bradley to explain the significance of fast-flux. “In this context,” he said, “fast-flux is one particular domain name which is being continuously administered to different IP addresses. To find a domain, you need to know the IP address which points to a particular server. With fast-flux, it’s cycling around administering different IP addresses very quickly. That makes it very difficult for a security researcher to locate the problem: we find an IP address to look at, but as soon as we do, the problem has moved on to a different address. We need to catch up if we want to work out what’s going on; and the only chance we have is if we can get a complete list of all the IPs that are on the fast-flux list, and then examine all of those IPs at the same time.” To make things even more difficult, the fast-flux list can be changed by the gang, on the fly.
What’s the danger of this new Asprox outbreak?
The danger is that they’re infecting thousands of new websites every hour. The infected websites are then delivering a payload, which can be changed by the gang whenever it likes, to unprotected visitors to that site. “The last time we analysed the payload,” says Bradley, “it was a combination of back-door downloaders which meant they could download whatever they liked to the infected computers, and keyloggers, and scareware.”
Worryingly, when M86 located the malware it checked with VirusTotal and found that only 7 out of the 42 anti-malware products could detect this threat.
And the solution
So what can we do to protect ourselves? Firstly, we must have an anti-virus package installed. There is a lag between new malware being discovered and the AV packages learning how to detect it. That doesn’t negate the necessity of AV – it just means that we need to be aware of this lag and use other methods to fill the gap. Common sense is one tool: simply do not visit what might be a suspicious website. But that alone is not enough: some very mainstream websites have been infected over the last couple of years. My own preferred solution is to use the Firefox web browser and to install the NoScript add-on. This is all free; but it means that when I visit a new site, NoScript stops any code (apart from html) from running. If the site is infected, the infection is blocked: I cannot be infected.