The Business Centre

Phishing botnet expands by hacking legit sites
Plants SQL injection attack tool on bots, hacks business, education sites
Gregg Keizer (Computerworld) 15/05/2008 08:10:59

iPhone Centre
iPhone CentreFind out all about the iPhone at our iPhone Centre. News, reviews, how-tos and video - all in one location.
  • +

    iPhone hackers go too far, get shut down by Apple 07/08/2008 10:51:17

    Apple shut down a hack that opened Unix developers to iPhone, but the creators brought the punishment on themselves
    I was all set to give this week's column over to a new register-direct implementation of a JavaScript interpreter that's many times faster than all currently available implementations. It's not exactly growing hair on a billiard ball, but a nitro-boosted JavaScript will put a shine on AJAX and keep my most beloved language on track to becoming the gold standard for dynamic languages.
  • +

    Jobs shakes up Apple management over MobileMe debacle 07/08/2008 08:29:09

    Apple CEO Steve Jobs has given MobileMe to the executive who heads iTunes, part of a shake-up over the sync service's public problems since its launch last month, according to a memo sent to company employees earlier this week.
  • +

    Deploying the iPhone 3G for business, part 1 31/07/2008 09:08:41

    One of biggest stories behind the release of the iPhone 3G -- and the iPhone 2.0 firmware update for first-generation iPhones -- was the inclusion of features designed for use in business environments. While many analysts and enterprise users have argued in recent weeks about whether the iPhone can replace Research In Motion's BlackBerry as the prevailing smart phone for business, little has been said about the tools and processes that Apple offers systems administrators to actually deploy and manage iPhones at work.
Additional Resources

Newsletter Subscription

Sign up for our Good Gear Guide newsletters!
Each day the GearDaily Newsletter covers the latest from the last week in a specific category. Monday is "Computing, Small Office and Home Office", Tuesday is "On the Move", Wednesday is "Digital Cameras, Video and Imaging", Thursday is "Mobile Phones and Communications" and Friday is "Home Entertainment".
See the latest products and comparison prices added to GearShop each week.
The GoodGearGuide portfolio of services is rapidly expanding. By joining this list you will be pre-registered for any new email services we launch so you won't miss out on any of our independent product guidance and purchasing information. You will be automatically subscribed and receive the new service(s) but dont worry, should you wish to unsubscribe you can do so with only one click.

A botnet is now using a SQL-injection attack tool designed to hack legitimate Web sites, a move meant to add more hijacked PCs to its collection, according to a security researcher.

The Asprox botnet, which specializes in sending phishing spam, is pushing an update to the infected PCs it controls, Joe Stewart, the director of malware research at Atlanta-based Secureworks, said today. The update is an executable file - "msscntr32.exe" - that installs as a Windows service dubbed "Microsoft Security Center Extension."

But the executable actually installs an SQL-injection attack tool, said Stewart.

SQL injection attacks have become widespread as criminals increasingly target legitimate Web sites, figure out a way to hack them, then plant IFRAMEs on those site which redirect users to malicious servers. Those servers silently attack the visitor's PC, often trying multiple exploits, and if one works, download additional code to the machine to hijack it from its rightful owner and add it to an army of infected systems.

"There are multiple things out there launching similar attacks," said Stewart in explaining why there's confusion about how the tool is being spread. Some analysts, he said, have mistakenly concluded that the SQL-injection tool is using worm-like tactics. "The tool does not spread on its own but relies on the Asprox botnet to propagate to new hosts," he said.

It is becoming increasingly difficult to separate the multiple attack vectors that criminals are using to hack legitimate sites, if only because SQL-injection attacks have ballooned in scale. Last month, for example, a massive SQL-injection attack compromised more than a half-million pages, including some on sites run by the United Nations.

After the Asprox botnet seeds its bots with the msscntr32.exe file, the attack tool launches and uses Google's search engine to find potentially-vulnerable pages. It then hits those pages with a SQL-injection attack and, if successful, plants a malicious IFRAME on the site.

Visitors are redirected through a series of malware-hosting servers that try one or more exploits to crack the PC. If that works, a Trojan horse is downloaded and installed on the PC, adding it to the Asprox botnet; those compromised PCs are then used to spew more phishing spam.

Stewart has counted 1,000 sites that have been hacked by the SQL-injection attack tool since Monday night. The sites include small business sites, domains for several small colleges and universities and some hosted by law firms. Most are in the US.

Other security vendors, including F-Secure and Symantec, have also uncovered evidence of new waves of SQL-injection attacks. Those firms have been pinning responsibility on Chinese hackers who are compromising legitimate sites to spread their game password-stealing malware.

Separately, SANS Institute's Internet Storm Center has reported that hackers have taken to trading various SQL-injection attack tools.

Meanwhile, IBM's X-Force, the research arm of the computer giant's Internet Security System subsidiary, has been rooting in the dark corners of the Web to pin down the number of malware-hosting sites linked to the legitimate URLs hacked by SQL-infection attacks. According to David Dewey, the manager of X-Force, his group regularly identifies 20 to 30 new hosting sites each day.

"Some of these are up less than a day," said Dewey. "In one case, the hosting [server] was offline in less than 30 minutes." The majority of the sites X-Force finds appear to be designed as malware hosts, rather than unwitting accomplices.

"SQL-injection attacks are rampant," Dewey said. "This latest peak isn't any larger than the previous, but they are very large attacks."

Market Place
$50 Cashback and Latest Map Guarantee on selected models until October 7.
Get up to $200 cashback on selected Brother MFCs and printers
Offering the very latest in premium Bluetooth products.
For over 60 years, Sennheiser has been synonymous with quality products for recording, transmission and reproduction of sound.
Music and movie lovers all over the world choose Tannoy loudspeakers for their accuracy detail and imaging.
Get wireless coverage in every corner of your home – the D-Link Wireless N Range.
Linksys Introduces the Fusion of Speed, Style and Power…in a Router.Speed, Style and Power…in a Router.
Bryston makes some of the best state of the art electronics in the world and offers a 20 Year warranty, transferable from owner to owner

Good Gear Guide Member Login

 
close
Hot Deals
4 Stars Plus Video Reviews
AV Enthusiast Centre
iPhone Centre
HD Advisor
The Business Centre
Digital Home Advisor
GPS Advisor
Broadband Advisor
CareerOne
Get a job Careerone
Sponsored Links