It looks like the Asprox SQL Injection (SQLi) agent is rearing its ugly head again – launching a barrage of SQLi attempts against probable vulnerable Web applications and their backend databases in an attempt to inject some malicious iframe content. This particular botnet agent has attempted to do this multiple times in the past, but appears to have recently awoken from its slumber.
Asprox uses an automated process to identify potentially vulnerable Web sites and pummel away with SQLi exploits. It’s not a particular intelligent nor advanced attack, but it tends to get the job done. The end goal is to inject a malicious iframe content into the targeted Web site’s content such that any visitors or customers of the exploited Web site will be served the iframe content – which would then cause their Web browser to access externally hosted malicious content designed to exploit the victims computer and install bot agents on them.
I use the term “targeted” very lightly here. Its not as if the Aspbros SQLi agent is pre-programed to target a specific organization – rather, it cycles through a list of potentially vulnerable Web sites based upon the results of public Internet searches. Which – for better or worse – means that vulnerable Web sites get “targeted” because of the software they are running and their patch level, rather than because they’re XYZ or affiliated with ABC.
That said, I was actually presenting on the topic of botnets being used for SQLi a couple of weeks back at Hacker Halted 2009 in Miami. Many of the SQLi agents botnets currently use are pretty dumb – resulting in the same vulnerable sites being hit multiple times by other members of the botnet. In the past I’ve seen some vulnerable Web sites getting “hacked” through SQLi several thousand times within a day by the same botnet with the same malicious iframe injections.
For example, check out the process below…
Newer, more intelligent SQLi-oriented botnets do it a little different – and are more efficient in their attacks. Newer botnet SQLi attacks take a more coordinated stance in their attacks – making better use of the command and control (CnC) infrastructure to eliminate duplicated efforts. For example, see the slide below…
The net result is a much faster attack against a much broader list of potential targets.
Things are moving further than simple SQLi. Given the advanced state of many botnet agents scripting interfaces, some botnet operators are also going down the Blind SQLi route.
Traditionally Blind SQLi was rarely used as an attack vector – mostly because it takes quite a bit of time to exploit systems using it. Even professional penetration testers would typically only go as far as using the technique to enumerate the backend database version info (to prove to their customer that they were vulnerable) rather than attempt to enumerate the entire database.
Botnets bring a lot of power to Blind SQLi attacks. For example:
As you can see, botnets are a tremendous force multiplier in this class of attack – making it feasible to successfully launch a Blind SQLi attack and enumerate/extract data from backend systems.
Having said all that, while Asprox is a fairly dumb SQLi agent compared to some of the other botnet operations out there today, it’s more than sufficient to be successful against many thousands of vulnerable Web applications. Make sure you pentest your Web applications regularly and fix and SQLi or Blind SQLi vulnerabilities immediately.
– Gunter Ollmann, VP Research