YAMSIA (Yet Another Massive SQL Injection Attack)

Forgot to crosspost from TM Site

Clever mnemonics aside, last week we have seen another large scale SQL injection attack (or YAMSIA, if you prefer), this time being orchestrated by a botnet that has become known as Asprox—but first, a history lesson.

The code behind the Asprox botnet seems to have been around for quite some time now, but it was only in the last year that it has upgraded to a botnet where its main focus is to send phishing emails. This has changed in late May / early June of this year when the bots where issued a new set of commands–namely to start searching the Web for certain .ASP pages - and then launching an SQL injection attack against these pages (hmm … I wonder where they got that idea from).

Figure 1. The modus operandi that has become more and more common.

Compromised sites have a piece of JavaScript (JS) embedded in them, which in turn points to another JS file on a seperate domain (the first technique has been taught in Bouncing Malware 101). These domains are part of a fast-flux network hosted on the botnet itself (a technique widely used by another well-known botnet, Storm). The JS file name was originally b.js, but this has since changed and, in the latest wave, it is the highly imaginative ngg.js.

Figure 2. Sample of malicious script (with some parts removed)

As you can see, this script creates a cookie that expires after 9 days. This serves as an infection marker on the page, as it then “bounces” the threat once more to the page pointed to by the iFrame.

Depending on what country you are browsing from, the Asprox botnet may decide not to let you access this page, in which case, you will be redirected to the legitimate www.msn.com. If you are “lucky” enough to be allowed access to the page, however, your browser will be promptly slapped in the face with a barrage of vulnerabilities–all with the goal of having your computer join in all of the fun by hooking your PC up to the botnet.

SQL injection attacks can be very effective as they are normally completely hidden to the Internet user—everything is quietly downloaded in the background without their knowledge. We were sure this was a criminal act, and as such have added a detection for the threat, as well as the bouncing JavaScript (JS_IFRAME.ADN) itself.

Unfortunately, security is still a major issue with the majority of Web sites, and until it becomes one of the core design goals from the start of a Web site project, expect to see more YAMSIA (Can you tell I’m trying to get this mnemonic to stick?) blogs in the future.

Breaking News! Iran Invaded! Well…maybe

Forgot to repost from TM Site

Picture the scene: You wake up in the morning and make your way on autopilot to work at your job in Tehran, then switch on your work PC to check your email. One in particular stands out as being a bit different from the others. You read it once, and then just to be sure read it a second time, then run to look out the window. Seeing no tanks in the streets and a significant lack of mushroom clouds, you return to your desk and take another look…

Anxious to find out what’s going on, you download the video and run it to find out more information.

Wrong move.

Now, longtime readers of this blog (well, most people to be honest) should look at that email and be immediately skeptical. They might even go check out a legitimate new sites like CNN or BBC. However, enough people will open your email inboxes this morning, download the video (hint: it’s not really a video, it’s just another Storm/Nuwar/Zhelatin/Peacomm variant detected by Trend Micro as TROJ_NUWAR.AB) and proceed to help the Storm gang’s authors make even more money. The Storm network may have decreased since its heyday — but its size still makes the approximately 20,000 soldiers seem small in comparison.

It’s a sad world we live in where we have to educate people to be careful of what they get in their email, to be suspicious of every site they visit, and to be constantly on the lookout for scams.

Needless to say, Trend Micro customers are protected from this threat, both with our latest pattern file, and in the cloud with our Smart Protection Network. For everyone else, think before you click.

Additional information — here are samples of spam pertaining to this attack: