- 4chan hell raisers finding fame brings heat?
- The 10 dumbest mistakes network managers make
- NetApp quits bidding war in face of EMC opposition
- CompuServe closes after 30 years
- Google to launch open-source Chrome OS this year
A botnet is now using a SQL-injection attack tool designed to hack legitimate Web sites, a move meant to add more hijacked PCs to its collection, according to a security researcher.
The Asprox botnet, which specializes in sending phishing spam, is pushing an update to the infected PCs it controls, Joe Stewart , the director of malware research at Atlanta-based Secureworks , said today. The update is an executable file - "msscntr32.exe" - that installs as a Windows service dubbed "Microsoft Security Center Extension."
But the executable actually installs an SQL-injection attack tool, said Stewart.
SQL injection attacks have become widespread as criminals increasingly target legitimate Web sites, figure out a way to hack them, then plant IFRAMEs on those site which redirect users to malicious servers. Those servers silently attack the visitor's PC, often trying multiple exploits, and if one works, download additional code to the machine to hijack it from its rightful owner and add it to an army of infected systems.
"There are multiple things out there launching similar attacks," said Stewart in explaining why there's confusion about how the tool is being spread. Some analysts, he said, have mistakenly concluded that the SQL-injection tool is using worm-like tactics. "The tool does not spread on its own but relies on the Asprox botnet to propagate to new hosts," he said.
It is becoming increasingly difficult to separate the multiple attack vectors that criminals are using to hack legitimate sites, if only because SQL-injection attacks have ballooned in scale. Last month, for example, a massive SQL-injection attack compromised more than a half-million pages, including some on sites run by the United Nations .
After the Asprox botnet seeds its bots with the msscntr32.exe file, the attack tool launches and uses Google 's search engine to find potentially-vulnerable pages. It then hits those pages with a SQL-injection attack and, if successful, plants a malicious IFRAME on the site.
Visitors are redirected through a series of malware-hosting servers that try one or more exploits to crack the PC. If that works, a Trojan horse is downloaded and installed on the PC, adding it to the Asprox botnet; those compromised PCs are then used to spew more phishing spam.
The Leader in Network Knowledge
Comment