A small botnet known as Asprox has been used in password stealing, spam, and phishing attacks. This week Asprox was modified to include a new SQL Injection tool. As recently shared, SQL injection attacks are more reflective of poorly programmed Internet web pages, rather than vendor product vulnerabilities.
This new botnet based attack is innovative. It interfaces with Google's search engine to locate vulnerable web pages. When a weakness is found, Asprox injects an iFrame based redirectional link on the vulnerable website. Later folks who visit the newly seeded web page, may download and install malicious code automatically on their PC and join the Asprox botnot.
It's always important to stay up-to-date on security patches and AV protection, as this could help prevent an infection if folks accidently visit a malicious website.
Asprox Botnet Installs SQL Injection Tool
http://www.secureworks.com/research/threats/danmecasprox/
http://vil.mcafeesecurity.com/vil/content/v_137684.htm
http://www.eweek.com/c/a/Security/Botnet-Installs-SQL-Injection-Tool/
http://www.scmagazineus.com/Asprox-botnet-malware-morphs/article/110169/
http://news.idg.no/cw/art.cfm?id=E9210D49-17A4-0F78-31AA26FE725B1F22
QUOTE: Danmec is a password-stealing trojan which has been around for a couple of years, but in the last year new components have been introduced by the author, turning it into a more complete crimeware family. One of these components (developed last year) is the Asprox trojan, which is designed to create a spam botnet which appears to be solely dedicated to sending phishing emails. As of yesterday, we observed the Asprox botnet pushing an update to the infected systems, a binary with the filename msscntr32.exe. The executable is installed as a system service with the name "Microsoft Security Center Extension", but in reality it is a SQL-injection attack tool.
After the Asprox botnet seeds its bots with the msscntr32.exe file, the attack tool launches and uses Google 's search engine to find potentially-vulnerable pages. It then hits those pages with a SQL-injection attack and, if successful, plants a malicious IFRAME on the site.
Visitors are redirected through a series of malware-hosting servers that try one or more exploits to crack the PC. If that works, a Trojan horse is downloaded and installed on the PC, adding it to the Asprox botnet; those compromised PCs are then used to spew more phishing spam.
Stewart has counted 1,000 sites that have been hacked by the SQL-injection attack tool since Monday night. The sites include small business sites, domains for several small colleges and universities and some hosted by law firms. Most are in the U.S.