Asprox Botnet Mass Attack Hits Governmental, Healthcare, and Top Business Websites
During the first two weeks of July 2008, Finjan detected over 1,000 unique Website domains that were compromised by Asprox toolkit attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, this might be just the tip of the iceberg for the scope and impact of this attack.
Among the compromised websites Finjan found websites of respectable organizations, governmental institutes, healthcare organizations and other high-ranked websites. The malicious code is still being served by most of the websites and the toolkit is still in use.
Among the many websites that were compromised, there are various advertisement networks that were also used to direct users to compromised advertisements. One of the advertisement networks was atdmt.com, which Microsoft plans to acquire as part of Microsoft’s Advertiser and Publisher Solutions Group.
Among compromised legitimate websites (on some of them the malicious code no longer exists) there are government websites:
marysville.ca.us, the official website of the City of Marysville, registered by Marysville Police Department.
www.censocultural.ba.gov.br, the official website of the cultural data bank of the Department of Culture and Tourism of the State of Bahia, Brazil.
www.sfgov.org, official website of the government of the City and County of San Francisco.
Compromised healthcare websites:
nhs.uk, the official website of the National Health Service in the UK.
samedical.org, the official website of the South African Medical Association.
Other compromised legitimate websites:
Cocacolabrazil.com
Snapple.com, one of the largest soft drink makers in the US
uci.edu, official website of the University of California
The Baltimore Times Website
BMW official site in Mexico
Compromised sites have a piece of JavaScript (JS) embedded in them, which in turn points to another JS file on a seperate domain. These domains are part of a fast-flux network hosted on the botnet itself, a technique widely used by another well-known Storm botnet.
The attack toolkit is designed to inject a <script> tag into legitimate [.asp] webpages. Each of the 160 different domains hosting .js points to the location of the malicious file which was unique to each and every one of them. The malicious script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation: MDAC Vulnerability, QuickTime rtsp Vulnerability, AOL SuperBuddy ActiveX Control Code Execution Vulnerability. Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine.
More on CyberInsecure:
July 30th, 2008 at 3:22 pm
This virus took my site offline for 3 weeks and I had to seek an internet security company to fix my site.
It cost me £50 but well worth it after the hastle I have had!!