Earlier this month, we reported on a new variant of Asprox malware which was being spammed out by the Pushdo botnet. At that time, the Asprox executables we analyzed were purely sending spam. However, a few days after our post, we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks.
As of this writing, there are three fast-flux domains that the bot attempts to contact.
CL63AMGSTART.RU HYPERVMSYS.RU ML63AMGSTART.RU
These domains resolve to Asprox’s control servers, which respond with spam templates, target email addresses, Asprox malware updates, as well as SQL injection attack information and lists of target ASP websites.
When analyzing the new Asprox binary that we pulled from the command and control server, we noticed some interesting clues that show that Asprox is behind the latest SQL injection attacks.
Figure 1: SQL statement in the Asprox malware body used to launch the SQL injection attack. As of this writing this malware had a poor detection rate .
The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites and some other information such as a Google search term to search for more potential targets.
Figure 2: The decrypted XML file which the bot receives. Contains a list of information such as target websites.
When the Asprox bot launches an SQL injection attack, the initial request looks similar to this:
The SQL statement is passed to a target ASP website and executes a series of URL encoded SQL queries, which when decoded, look like this:
http://manage[dot]webservicekuz[dot]ru/js.js http://stream[dot]webservicesttt[dot]ru/js.js http://media[dot]webservicefull[dot]ru/js.js http://edit[dot]webservicezok[dot]ru/js.js http://redir[dot]webserviceforward[dot]ru/js.js http://shell[dot]webserviceget[dot]ru/js.js http://rid[dot]webservicedevlop[dot]ru/js.js
The SQL attack queries a special table in the SQL server sysobjects and syscolumns in an attempt to get the available “user” tables and fields in the website’s database. Walking through the tables and fields, the attack appends the malicious <script> tag to the selected values, in effect poisoning the website’s database. Once a web page uses a string from the poisoned database, the malicious <script> tag is injected into that web page. When we performed a Google search of this domain, we saw over 5000 websites infected:
So Asprox is back with a vengeance, and doing its typically Asprox-like things, namely spamming and SQL injection. Anyone have a feeling of déjà vu?