Phishing botnet expands by hacking legit sites

Plants SQL injection attack tool on bots, hacks business, education sites

A botnet is now using a SQL-injection attack tool designed to hack legitimate Web sites, a move meant to add more hijacked PCs to its collection, according to a security researcher.

The Asprox botnet, which specializes in sending phishing spam, is pushing an update to the infected PCs it controls, Joe Stewart, the director of malware research at Atlanta-based Secureworks, said today. The update is an executable file - "msscntr32.exe" - that installs as a Windows service dubbed "Microsoft Security Center Extension."

But the executable actually installs an SQL-injection attack tool, said Stewart.

SQL injection attacks have become widespread as criminals increasingly target legitimate Web sites, figure out a way to hack them, then plant IFRAMEs on those site which redirect users to malicious servers. Those servers silently attack the visitor's PC, often trying multiple exploits, and if one works, download additional code to the machine to hijack it from its rightful owner and add it to an army of infected systems.

"There are multiple things out there launching similar attacks," said Stewart in explaining why there's confusion about how the tool is being spread. Some analysts, he said, have mistakenly concluded that the SQL-injection tool is using worm-like tactics. "The tool does not spread on its own but relies on the Asprox botnet to propagate to new hosts," he said.

It is becoming increasingly difficult to separate the multiple attack vectors that criminals are using to hack legitimate sites, if only because SQL-injection attacks have ballooned in scale. Last month, for example, a massive SQL-injection attack compromised more than a half-million pages, including some on sites run by the United Nations.

After the Asprox botnet seeds its bots with the msscntr32.exe file, the attack tool launches and uses Google's search engine to find potentially-vulnerable pages. It then hits those pages with a SQL-injection attack and, if successful, plants a malicious IFRAME on the site.

Visitors are redirected through a series of malware-hosting servers that try one or more exploits to crack the PC. If that works, a Trojan horse is downloaded and installed on the PC, adding it to the Asprox botnet; those compromised PCs are then used to spew more phishing spam.

Stewart has counted 1,000 sites that have been hacked by the SQL-injection attack tool since Monday night. The sites include small business sites, domains for several small colleges and universities and some hosted by law firms. Most are in the US.

Other security vendors, including F-Secure and Symantec, have also uncovered evidence of new waves of SQL-injection attacks. Those firms have been pinning responsibility on Chinese hackers who are compromising legitimate sites to spread their game password-stealing malware.

Separately, SANS Institute's Internet Storm Center has reported that hackers have taken to trading various SQL-injection attack tools.

Meanwhile, IBM's X-Force, the research arm of the computer giant's Internet Security System subsidiary, has been rooting in the dark corners of the Web to pin down the number of malware-hosting sites linked to the legitimate URLs hacked by SQL-infection attacks. According to David Dewey, the manager of X-Force, his group regularly identifies 20 to 30 new hosting sites each day.

"Some of these are up less than a day," said Dewey. "In one case, the hosting [server] was offline in less than 30 minutes." The majority of the sites X-Force finds appear to be designed as malware hosts, rather than unwitting accomplices.

"SQL-injection attacks are rampant," Dewey said. "This latest peak isn't any larger than the previous, but they are very large attacks."

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

PC World Evaluation Team Review - MSI GT75 TITAN

"I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it."

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?