Asprox Botnet
Original issue date:
July
17, 2008
Updated: August 01, 2008; November 03, 2008;
It has been observed that a Trojan horse named Asprox is spreading widely.
The Trojan, which was originally used for sending phishing scams, uses fast flux SQL injection Attacks to hack websites and formulates a botnet.
This Trojan contains an automated SQL injection attack tool, which is identified as an executable “msscntr32.exe” (HackTool:W32/Agent.B),
masquerading as a system service with the name Microsoft Security Center Extension.
When launched it searches Google for flaws in Microsoft Active Server Pages and injects an iframe into the pages that redirects to fraudulent domains.
The sites also try to install WinFixer, a notorious software title that falsely tells users are infected by malware in an attempt to trick them into buying bogus anti-malware products.
Asprox can runs as a hidden proxy on the compromised computer and as a service on every Windows startup.
Aliases :
Mal/Badsrc-C (Sophos)
Trojan.Asprox.D (BitDefender)
Trojan:JS/Aseljo.A (Microsoft)
Up on execution the Trojan :
- creates the following files
- %System%\aspimgr.exe
- %Windir%\s32.txt
- %Windir%\db32.txt
- %Windir%\g32.txt
- %Windir%\gs32.txt
- %Temp%\_check32.bat
- Creates the following registry subkeys
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\aspimgr
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Sft
- Opens a proxy server on one of the following ports
- Sends HTTP requests to the following locations
- [http://]www DOT yahoo DOT com
- [http://]ns DOT uk2 DOTnet
- [http://]208 DOT 109 DOT 50 DOT 117/foru[REMOVED]
- [http://]208 DOT 109 DOT 51 DOT 140/foru[REMOVED]
- [http://]216 DOT 69 DOT 164 DOT 173/foru[REMOVED]
- [http://]74 DOT 52 DOT 72 DOT 58/foru[REMOVED]
- [http://]216 DOT 40 DOT 204 DOT 106/foru[REMOVED]
Note: The initial HTTP GET request has the contents :
GET /page.asp?id=425;DECLARE%20@S%20NVARCHAR
(4000);SET%20@S=CAST(0x4400450043004C00410052
0045002000400054002000760061007200630 0680061007200280032003500350029002C00400043002
000760061007200630068006 10072002800320035003500290020004400450043004C00
410052004500200
www.example.com
HTTP/1.1
Accept: text/html, application/xml;q=0.9, application/xhtml+xml,
*/*;q=0.1
Accept-Language: en-gb
Accept-Encoding: deflate
User-Agent: Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.0) Gecko/
20060728
Firefox/1.5.0 Opera 9.25
Host: www.example.com
Connection: Close
In view of rapid propagation and emergence of the Asprox, users are advised to implement the following countermeasures :
- Delete processes, files, registry keys added by the Trojan
- Kill process
aspimgr.exe
- Delete registry values
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\aspimgr
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\sft
- Delete files
aspimgr.exe, _check32.bat, ws386.ini
- Install and maintain updated anti-virus software at gateway and desktop level.
- Keep up-to-date patches and fixes on the operating system and application software.
- Install and maintain Desktop Firewall and block the ports which are not required.
- Prevent SQL injection by:
- Enable request validation by setting validateRequest
=Truefalse in the Page directive or in the configuration
section.
- Input Filtering: Properly sanitize user input data.
- Avoid cross-site scripting appending in URLs by using
some special character like #,etc
http://www.vulnerable.site/welcome.html#name =<script>alert(document.cookie)<script>
- Turn All inline SQL code into stored procedures, take
ALL
the rights away from SQL account you use from the website,
and grant EXEC rights for each stored procedure to that user
- Output Filtering: Filter user data when it is sent back to the user's browser.
- Use a db_reader account for your website instead of dbowner.
- Disable client side scripting.
- Use Signed Scripting: Implement “signed scripting” such that
any script with an invalid or un-trusted signature would not run automatically.
- CERT-In has released current activity suggesting steps to mitigate the risk
from SQL Injection For details refer to
http://www.cert-in.org.in/currentacts/currentact07.htm#SIW
- Update the NIPS/NIDS signatures as given in http://www.secureworks.com/research/threats/danmecasprox/
- Cisco has released steps to prevent Asprox attacks at the router level.
For details refer to
http://cisconews.co.uk/2008/07/09/asprox-sql-injection-attacks-
block-them-using-a-cisco-router/
- Configure email server to block or remove email that contains file
attachments that are commonly used to spread viruses, such as .vbs,
.bat, .exe, .pif and .scr files.
References
http://isc.sans.org/diary.html?storyid=5092
http://www.secureworks.com/research/threats/danmecasprox/
http://www.symantec.com/security_response/writeup.jsp?docid
=2007-060812-4603-99
http://www.heise-online.co.uk/security/Asprox-botnet-now-equipped
-with-SQL-injection-tool--/news/110742
http://www.microsoft.com/security/portal/Entry.aspx?name=Trojan
%3aJS%2fAseljo.A
http://www.cert-in.org.in/currentacts/currentact07.htm#MSIJS
http://www.cert-in.org.in/currentacts/currentact07.htm#SIW
http://www.cert-in.org.in/currentacts/currentact07.htm#SIAE
http://www.antivirusprogram.se/virusinfo/Trojan.Asprox_14937.html
http://www.symantec.com/security_response/writeup.jsp?
docid=2007-060812-4603-99&tabid=2
http://blog.trendmicro.com/yamsia-yet-another-massive-sql
-injection-attack/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_ASPROX.A
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Phone: +91-11-24368572
Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003
|
