Asprox botnet launches new wave of SQL injection

Share this article:
The Asprox botnet has laid low for the first half of the year but the cybercriminals behind it again have begun utilizing its network of infected computers to carry out SQL injection attacks against vulnerable websites, security firms are warning.

The latest wave of SQL injection attempts emanating from the Asprox botnet began last Monday, Jason Milletary, counter threat unit security researcher at managed security services vendor SecureWorks, told SCMagazineUS.com on Tuesday.

“Asprox is fairly unsophisticated,” Gunter Ollmann, vice president of research at enterprise security firm Damballa, told SCMagazineUS.com on Tuesday. “The SQL injection attacks it tries to launch are unsophisticated — but it works.”

Sometime during last week, perhaps as early as Monday, Asprox bots began been receiving instructions to run an internet search for web applications with vulnerable backend databases that potentially are susceptible to SQL injection, researchers said. The bots then attempted to inject a malicious IFRAME — or a small piece of HTML code — into these websites.

“All the infected bots are receiving instructions and going and doing that — running the same Google queries,” Ollmann said. “They get the same results back, so we often see vulnerable websites being attacked and having the malicious IFRAME inserted into their websites multiple times by the same botnet.”

If a user visits one of the compromised websites, the IFRAME causes the user's web browser to be redirected to a distribution site that tries to exploit browser and browser plug-in bugs to install malicious code on the user's system, Milletary said. The goal is to further build the Asprox botnet.

Researchers said they are unsure how many websites have been compromised as a result of this attack. In a similar SQL attack wave from the Asprox botnet last May, more than 2,000 websites were infected.
Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

CryptoWall surpasses CryptoLocker in infection rates

CryptoWall surpasses CryptoLocker in infection rates

A threat analysis from Dell SecureWorks CTU says that CryptoWall has picked up where its famous sibling left off.

Professor says Google search, not hacking, yielded medical info

Professor says Google search, not hacking, yielded medical ...

A professor of ethical hacking at City College San Francisco came forward to clarify that he did not demonstrate hacking a medical center's server in a class.

Syrian Malware Team makes use of enhanced BlackWorm RAT

Syrian Malware Team makes use of enhanced BlackWorm ...

FireEye analyzed the hacking group's use of the malware, dubbed the "Dark Edition" of BlackWorm.