The Asprox botnet began pumping out a fresh round of SQL injection attacks yesterday. Asprox has been implicated in several waves of SQL injection throughout June, with this latest round of compromises attracting the greatest amount of traffic observed by STAT this month.

The Asprox botnet causes infected computers (bots) to become the attack mechanism. Some of the bots are instructed to upload the SQL injection attack tool, which then queries search engines to find susceptible sites and attempts to exploit any found. Successful exploit results in compromised websites that silently attempt to infect visitors' computers. Other bots are used as hosts for the malware; these hosts appear to be using the Neosploit framework. Asprox uses fast flux, thus a single malware domain called by the compromised site may resolve to one of a number of IP addresses (i.e. one domain name may resolve to any one of a number of attacker-controlled victim computers commandeered to act as malware hosts).

Interestingly, a large number of the trafficked compromised sites appear to be from the manufacturing sector, particularly among companies involved in the manufacture or distribution of heating and cooling systems. Because ScanSafe scans all Web requests in real time, this slant towards heating and cooling is likely more reflective of a seasonal uptick in traffic to this particular category of sites, rather than any deliberate targeting of this specific sector on the part of the attackers. A generic look at the compromises via search engines reveals no particular bias in compromise.

The June attacks continue to be a departure from attacks observed in May 2008 and previous waves of SQL injection. The former SQL injection attacks delivered customizable password stealers, were largely rendered by a tool written in Chinese language, contained script references to China, and had other distinguishing characteristics pointing to origins in China. Beginning in late May and continuing through June, the SQL injection characteristics shifted, seemingly pointing to a different group of attackers. As an example, the Asprox botnet is believed to be heavily involved in spam and phishing campaigns. In addition, the malware dropped in the June SQL injection attacks has shifted to backdoors and proxy Trojans - infections which add to the overall size of the Asprox botnet. The June attacks also appear to have some roots in the Ukraine and Malaysia, rather than China.

Following is a partial list of domain names involved in the June SQL injection attacks resulting from the Asprox botnet:

adwbnr.com
alzhead.com
app52.com
appid37.com
apps84.com
asp707.com
aspssl63.com
aspx49.com
base48.com
batch29.com
bin963.com
bios47.com
bnradw.com
chinabnr.com
chkadw.com
chkbnr.com
coldwop.com
hlpgetw.com
lang34.com
pingadw.com
pingbnr.com
rid34.com
tid62.com
update34.com
westpacsecuresite.com