CyberInsecure.com

Daily cyber threats and internet security news: network security, online safety and latest security alerts
May 14th, 2008

Phishing Botnet Expands By SQL Injecting Websites Found In Google

The Asprox botnet, which specializes in sending phishing spam, now using a SQL injection attack tool designed to hack legitimate websites, a move meant to add more hijacked PCs to its collection. According to SecureWorks, the botnet is pushing an update to the infected PCs it controls by sending an executable file, msscntr32.exe, that installs as a Windows service called “Microsoft Security Center Extension”. In reality, the file is an SQL injection attack tool.

After the Asprox botnet seeds its bots with the msscntr32.exe file, the attack tool launches and uses Google’s search engine to find potentially vulnerable website pages. It then hits those pages with a SQL-injection attack and, if successful, plants a malicious IFRAME on the site. Visitors are redirected through a series of malware-hosting servers that try one or more exploits to infect their PC. If that works, a Trojan horse is downloaded and installed on the PC, adding it to the Asprox botnet; those compromised PCs are then used to spew more phishing spam.

So far, Asprox zombies have infected only about 1,000 pages, which carry javascript pointing to sites including direct84.com and adword71.com. In addition to silently feeding end users Asprox malware, the poisoned pages also push malware for a competing botnet known as Cutwail. The sites also try to install WinFixer, a notorious software title that falsely tells users are infected by malware in an attempt to trick them into buying bogus anti-malware products.

Security vendors, including F-Secure Corp. and Symantec Corp., have also uncovered evidence of new waves of SQL-injection attacks. Those firms have been pinning responsibility on Chinese hackers who are compromising legitimate sites to spread malware to steal game passwords.

SQL injection attacks have become widespread as criminals increasingly target legitimate websites, figure out a way to hack them, then plant IFRAMEs on those sites to redirect users to malicious servers. Those servers silently attack visitors’ PCs, often trying multiple exploits, and if one works, they download additional code to the machine to hijack it from its rightful owner and add it to an army of infected systems.

Some analysts have mistakenly concluded that the SQL injection tool is using worm-like tactics. According to SecureWorks, the tool does not spread on its own but relies on the Asprox botnet to propagate to new hosts.

Share this item with others:

More on CyberInsecure:
  • Google Helps Most Phishing Sites
  • Storm Botnet Is Behind 20 Percent Of Internet Spam
  • Department of Homeland Security Website Hacked During Mass Web Attacks
  • Web Infection Manipulates Google Search Results And Builds A Botnet
  • Another Google Adwords Phishing

    • Posted in Google, Malware, Mass Web Attacks, Trojans & Worms | Print This Post Print This Post

    This entry was posted on Wednesday, May 14th, 2008 at 3:14 pm and is filed under Google, Malware, Mass Web Attacks, Trojans & Worms. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

    If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Phishing Botnet Expands By SQL Injecting Websites Found In Google

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    *
    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.

    « «
    » »