KrebsOnSecurity has discovered an unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for vulnerabilities that can be used to install malware.
The botnet, dubbed Advanced Power by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim.
The malware is apparently distributed as a Mozilla Firefox add-on called Microsoft .NET Framework Assistant. It’s worth noting that “Microsoft .NET Framework Assistant” is a genuine add-on developed by Microsoft. The attackers are simply leveraging the name of the real extension.
The malicious code comes from sources referenced in this Malwar writeup and this Virustotal entry. On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant”. The malicious add-on then conducts tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities.
Alex Holden, chief information security officer at Hold Security LLC, said the botnet appears to have been built to automate the tedious and sometimes blind guesswork involved in probing sites for SQL vulnerabilities.
“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality,” Holden said. “You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right. In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”
Holden said he believes the authors of this botnet may be natives of and/or reside in the Czech Republic, noting that a few transliterated text strings in the malware are auto-detected by Google Translate as Czech.
SQL injections are some of the most common Web site attacks partly because these vulnerabilities are extremely widespread. According to a report (PDF) released earlier this year from Web site security firm Imperva, while most Web applications receive four or more attack campaigns each month, some Websites are constantly under attack particularly Web apps at retail sites.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
The botnet, dubbed Advanced Power by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim.The malware is apparently distributed as a Mozilla Firefox add-on called Microsoft .NET Framework Assistant. It’s worth noting that “Microsoft .NET Framework Assistant” is a genuine add-on developed by Microsoft. The attackers are simply leveraging the name of the real extension.
The malicious code comes from sources referenced in this Malwar writeup and this Virustotal entry. On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant”. The malicious add-on then conducts tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities.
Alex Holden, chief information security officer at Hold Security LLC, said the botnet appears to have been built to automate the tedious and sometimes blind guesswork involved in probing sites for SQL vulnerabilities.
“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality,” Holden said. “You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right. In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”
Holden said he believes the authors of this botnet may be natives of and/or reside in the Czech Republic, noting that a few transliterated text strings in the malware are auto-detected by Google Translate as Czech.
SQL injections are some of the most common Web site attacks partly because these vulnerabilities are extremely widespread. According to a report (PDF) released earlier this year from Web site security firm Imperva, while most Web applications receive four or more attack campaigns each month, some Websites are constantly under attack particularly Web apps at retail sites.
Author Venkatesh Yalagandula Follow us Google + and Facebook and Twitter
No comments:
Post a Comment