DISCLAIMER: Logging other people's keystrokes or breaking
into other people's computer without their permission can
be considered illegal by the courts of many countries.
The monitoring software reviewed here is ONLY for authorized
system administrators and/or owners of computers.
We assume no liability and are not responsible for any misuse
or damage caused by the keylogging software. The end user of
this software is obliged to obey all applicable local, state,
federal and other laws in his country of residence.
May 15, 2008
Botnet Installs SQL Injection Tool
A botnet is outfitting its army of compromised computers with a SQL injection attack tool to hack Web sites, researchers at SecureWorks have discovered.
According to SecureWorks, the Asprox botnet, once used solely to send out phishing e-mails, is pushing the tool out to systems in its network via a binary with the file name msscntr32.exe. The executable is installed as a system service with the name "Microsoft Security Center Extension."
Despite the name, the file is in fact a SQL injection attack tool that when launched searches Google for .asp pages that contain certain terms. It then launches SQL injection attacks against the Web sites returned by the search. According to SecureWorks, the attack is designed to inject an IFrame into the Web site that tricks visitors into downloading a JavaScript file from the domain direct84.com.
This file in turn redirects computers to a site where additional malicious JavaScripts are stored, although the secondary site appeared to be down when SecureWorks first reported the attacks May 14. When successful, however, the site installs additional copies of Asprox, the password-stealing Trojan Danmec or the SQL attack tool.
According to a list from VirusTotal, only a handful of the major anti-virus vendors are detecting the attack tool at this time.
"This is the first time I've seen a SQL injection tool, but certainly other botnets have tried to spread in a similar manner, infecting Web sites with IFrames," said Joe Stewart, director of malware research at SecureWorks. "For instance, Storm tries to get your password if you log in to a Web site with FTP, and will put an IFrame into the page for you."
So far, SecureWorks has found 1,000 Web sites infected by this wave of SQL attacks. Visitors to these infected Web sites are infected with the Asprox malware—turning them into bots—and also download some scareware.
"We've estimated [the Asprox botnet] at around 15,000 hosts, but that was before the wave of SQL attacks," Stewart said in an interview with eWEEK.
Researchers are still investigating exactly what vulnerability on the Web sites is being exploited, Stewart said. The Web sites are English-language and their owners include law firms and midsize businesses.
A similar attack technique is currently being seen spreading game-password-stealing Trojans from China. Whether the tool is related or only the attack syntax is shared, it is clear that SQL injection attack activity is on the rise from multiple sources, Stewart wrote in his blog.
Source: eWeek
All news for July, 2008
All news for 2008 year
All news for 2007 year
All news for 2006 year
All news for 2005 year
All news for 2004 year
DONATION: Keylogger.org is an independent research
project supported by a team of enthusiasts. If you find this
project useful or would like to help foster its continued
development please consider making a donation using PayPal`s
online secure payment service. A PayPal account is not required.
All major credit cards are accepted (MasterCard/Eurocard,
Visa/Delta/Electron, American Express, Switch/Maestro, Solo).
Simply click the button below.
Any amount would be useful and appreciated!
Thanks in advance for your support!
|
