Clever mnemonics aside, last week we have seen another large scale SQL injection attack (or YAMSIA, if you prefer), this time being orchestrated by a botnet that has become known as Asprox—but first, a history lesson.
The code behind the Asprox botnet seems to have been around for quite some time now, but it was only in the last year that it has upgraded to a botnet where its main focus is to send phishing emails. This has changed in late May / early June of this year when the bots where issued a new set of commands–namely to start searching the Web for certain .ASP pages – and then launching an SQL injection attack against these pages (hmm … I wonder where they got that idea from).
Figure 1. The modus operandi that has become more and more common.
Figure 2. Sample of malicious script (with some parts removed)
As you can see, this script creates a cookie that expires after 9 days. This serves as an infection marker on the page, as it then “bounces” the threat once more to the page pointed to by the iFrame.
Depending on what country you are browsing from, the Asprox botnet may decide not to let you access this page, in which case, you will be redirected to the legitimate www.msn.com. If you are “lucky” enough to be allowed access to the page, however, your browser will be promptly slapped in the face with a barrage of vulnerabilities–all with the goal of having your computer join in all of the fun by hooking your PC up to the botnet.
Unfortunately, security is still a major issue with the majority of Web sites, and until it becomes one of the core design goals from the start of a Web site project, expect to see more YAMSIA (Can you tell I’m trying to get this mnemonic to stick?) blogs in the future.