Asprox: dbrgf.ru

Another domain to look for in SQL injection attacks is dbrgf.ru, still calling script.js. Checking your proxy logs for ".ru/script.js" is a good idea at the moment.

It might also be worth checking for the string "google-analitycs" as the attacks redirect through a subdomain containing that mis-spelled phrase.

Asprox: lijg.ru and dbrgf.ru

A fresh round of SQL injections seem to be on the march, with (at least) two new domains being injected into vulnerable sites: www.lijg.ru and www.dbrgf.ru, calling a script named script.js.

This script redirects through an IFRAME pointing to google-analitycs.lijg.ru, although the payload is unclear.

Including some older domains, the following list seem to be active, either calling script.js or style.js.

• www.lijg.ru
• www.dbrgf.ru
• www.bnmd.kz
• www.nvepe.ru
• www.mtno.ru
• www.wmpd.ru
• www.msngk6.ru
• www.dft6s.kz

For the record, the domain registrations are as follows:

domain: LIJG.RU
type: CORPORATE
nserver: ns2.lijg.ru. 68.4.124.142
nserver: ns5.lijg.ru. 74.129.255.164
nserver: ns1.lijg.ru. 68.6.180.109
nserver: ns3.lijg.ru. 67.38.2.113
nserver: ns4.lijg.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN


domain: DBRGF.RU
type: CORPORATE
nserver: ns5.dbrgf.ru. 74.196.121.117
nserver: ns4.dbrgf.ru. 68.105.25.64
nserver: ns1.dbrgf.ru. 75.156.152.67
nserver: ns2.dbrgf.ru. 68.197.137.239
nserver: ns3.dbrgf.ru. 146.57.249.100
state: REGISTERED, DELEGATED
person: Andrey G Chalkov
phone: +7 495 9385996
e-mail: chalkov@laptopmix.net
registrar: NAUNET-REG-RIPN
created: 2009.01.20
paid-till: 2010.01.20
source: TC-RIPN

SQL injection: msngk6.ru, dft6s.kz and mcuve.cn

A new bunch of domains being used in SQL injection attacks at the moment:

• www.msngk6.ru
• www.dft6s.kz

These are calling a script called style.js and follow on from these, most likely the work of the Asprox gang. The registration details are probably fake, but for the record are:

domain: MSNGK6.RU
type: CORPORATE
nserver: ns2.msngk6.ru. 75.63.155.106
nserver: ns3.msngk6.ru. 146.57.249.100
nserver: ns1.msngk6.ru. 76.240.151.177
nserver: ns4.msngk6.ru. 24.247.215.75
state: REGISTERED, DELEGATED
person: Aleksandr A Zamaraev
phone: +7 495 7412992
e-mail: zamaraev@namebanana.net
registrar: NAUNET-REG-RIPN
created: 2008.12.17
paid-till: 2009.12.17
source: TC-RIPN

The domain mcuve.cn is different, calling 1.js. This is related to the recent 17gamo.com domain which exploits a number of things including this recent IE7 vulnerability.

Check your proxy logs for .cn/1.js and .ru/style.js plus .kz/style.js to keep on top of these. It is often worth monitoring all traffic to .cn, .ru and .kz domains for manual review.

Asprox SQL injections are back

The Silent Noise blog reports that a fresh round of SQL injection attacks by the Asprox crew are under way. They seem to be using a variety of .ru and .kz domain names, although at the moment they all redirect to 79.135.168.18 in the Lebanon.. the whole 79.135.168.* block is pretty bad and has been covered here before.

inetnum: 79.135.168.0 - 79.135.168.255
netname: LB-NET
descr: Lebanon private dedicated service
country: LB
admin-c: MHB1111-RIPE
tech-c: MHB1111-RIPE
remarks: abuse mailbox: moh.b@lubnannetworks.biz
status: ASSIGNED PA
mnt-by: SISTEM-NET-MNT
source: RIPE # Filtered

person: Mohamed Baga
address: Basha Garden bldg, 5th floor LB
address: Jisr El Bacha Main Road
address: Beirut - Lebanon
e-mail: moh.b@lubnannetworks.biz
remarks: abuse mailbox: moh.b@lubnannetworks.biz
phone: +961 1 512341
nic-hdl: MHB1111-RIPE
source: RIPE # Filtered

route: 79.135.160.0/19
descr: Sistemnet Telecom
origin: AS44097
mnt-by: Sistem-Net-MNT
source: RIPE # Filtered

The endpoint appears to be a PDF exploit running on 79.135.168.18 - it's worth blocking or checking for anyaccess to this server, and also check your logs for accesses to ".kz/style.js" and ".ru/style.js" too.

Currently active domains are:

• www.bnmd.kz
• www.nvepe.ru
• www.mtno.ru
• www.wmpd.ru

Some notable impacted sites:

• frontweb.vuse.vanderbilt.edu (Vanderbilt University)
• maryvillecollege.edu (Maryville College)
• guildford.ac.uk (Guildford University)
• many .gov.ar (Argentina) and .gov.cn (China) sites
• navigationusa.com (Online retailer)
• worldcricketstore.com (Online retailer)

A Google search and Yahoo search indicate the extent of the problem (obviously, you don't want to visit any of these impacted sites).

Asprox: 47mode.name, berjke.ru, 81dns.ru

There has been a shift overnight in the domains used in the Asprox SQL injection attack, the ones to look for are:

• 47mode.name
• berjke.ru
• 81dns.ru

Registration for the .ru domains looks like this:

domain: 81DNS.RU
type: CORPORATE
nserver: ns1.81dns.ru. 76.240.151.177
nserver: ns2.81dns.ru. 76.182.187.206
nserver: ns3.81dns.ru. 69.62.229.141
state: REGISTERED, DELEGATED
person: Private Person
phone: +3 212 7721130
fax-no: +3 212 7721130
e-mail: igorlsoloti@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.10.23
paid-till: 2009.10.23
source: TC-RIPN

47mode.name is different:

Registration Service Provided By: RESELL.BIZ
Contact: +1.3124476810
Website: http://Resell.biz

Domain Name: 47MODE.NAME

Registrant:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Creation Date: 21-Oct-2008
Expiration Date: 21-Oct-2009

Domain servers in listed order:
ns3.47mode.name
ns2.47mode.name
ns1.47mode.name

Administrative Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Technical Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Billing Contact:
Kimberly Maupin
Kimberly Maupin (pampaser@socialworker.net)
136 Lawndale Lane
Sneads Ferry
North Carolina,28640
US
Tel. +5.9103818739

Status:ACTIVE

It looks like "Kimberly Maupin" might well be a real person living in Sneads Ferry, who's identity has been "borrowed". However, the ZIP code is incorrect and the telephone number appears to be in Bolivia.

Anyway, block these domains or check your logs for them.

Asprox: lang42.ru

Another Asprox SQL injection domain to block / check for is lang42.ru. The following domains have been active in the past 24 hours:

• 53refer.ru
• chk06.ru
• driver95.ru
• errghr.ru
• lang42.ru
• netcfg9.ru
• sitevgb.ru
• vrelel.ru

As I've said before, completely blocking access to .ru domains for most businesses would be a huge problem. Most .ru sites are in Russian, and if you don't use Russian in your business they you can probably live without them.

Asprox: new domains

After being stable for some time, the Asprox SQL injection hacks are now redirecting through a new bunch of .ru domains.

• 30area.ru
• 4log-in.ru
• 53refer.ru
• chk06.ru
• driver95.ru
• errghr.ru
• netcfg9.ru
• sitevgb.ru
• vrelel.ru

WHOIS details are:

domain: ERRGHR.RU
type: CORPORATE
nserver: ns2.errghr.ru. 68.6.180.109
nserver: ns3.errghr.ru. 68.12.194.192
nserver: ns1.errghr.ru. 199.126.149.144
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 772 7727727
fax-no: +7 772 7727727
e-mail: retyi111@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.10.09
paid-till: 2009.10.09
source: TC-RIPN

retyi111@yahoo.com has been used before for these domains and various other nasties. As usual, block these domains and/or check your logs for them.

Asprox: deryv.ru still active

The Asprox botnet is still active but has been remarkable stable with no new domains in the past week, and 88% of the traffic going to deryv.ru.

• ctiry.ru (3%)
• deryv.ru (88%)
• mentoe.ru (4%)
• mheop.ru (3%)
• pormce.ru (2%)

Consistently, the malware code is encrypted with eval(function(p,a,c,k,e,d) presumably to avoid detection by anti-virus software. So, if you only check your logs for / block ONE Asprox domain, then deryv.ru seems to be the one to look at.

Asprox: ctiry.ru, deryv.ru, mentoe.ru, mheop.ru, pormce.ru and xenbv.ru

Another bunch of Asprox domains that have been active over the past few days are listed below. As usual, block these or check your logs for activity.

• ctiry.ru
• deryv.ru
• mentoe.ru
• mheop.ru
• pormce.ru
• xenbv.ru

Asprox: "eval(function(p,a,c,k,e,r)"

There has been a slight shift in tactics by the Asprox gang in their SQL Injection Attacks in that they are now using a packer on their javascript. This doesn't seem to be for obfuscation reasons, as the script is relatively easy to decode. Presumably it's a way to get around virus and link scanners. (Click the image below for an example)

You can decode it easily enough by adding eval=alert; to the start of the script (follow the instructions here), but never mess around with malware scripts on a vulnerable production system because it is very easy to get infected.

mnicbre.ru and vtg43.ru seem to be two active domains, although perhaps check for all the ones on this list to be safe.

Packing tools are an easy way to avoid detection.. at least temporarily. But given the prevalence
of Javascript-based malware and the ever-increasing availability of bandwidth, Javascript packing is becoming an increasingly bad practice. There have been a couple of high-profile cases where a packing tool has effectively been blacklisted by anti-virus products (here and here), so perhaps if you use Javascript extensive and use a packing tool you might want to reconsider how you deploy Javascript on your site.

Asprox: h3x.info

Briefly popping up on the Asprox SQL Injection radar yesterday was h3x.info, specifically a call to h3x.info/index.php [dangerous site, do not visit].

h3x.info doesn't fit the normal pattern, perhaps it has been rotated in as a test. What's certain is that this is a malware distribution site.. and a pretty scary one at that.

Let's look at the domain details first of all. As you might expect, they're mostly bogus:

Domain ID
D23859712-LRMS
Domain Name
H3X.INFO
Created On
19-Feb-2008 22:04:56 UTC
Last Updated On
27-Aug-2008 12:38:06 UTC
Expiration Date
19-Feb-2009 22:04:56 UTC
Sponsoring Registrar
Registrar Company, INC (R315-LRMS)
Status
OK
Registrant ID
DI_7764637
Registrant Name
Alex
Registrant Organization
Vteam
Registrant Street1
vol. str. 221-122, 12
Registrant Street2

Registrant Street3

Registrant City
Novie
Registrant State/Province
Aveiro
Registrant Postal Code
19923
Registrant Country
PT
Registrant Phone
+12.56231321
Registrant Phone Ext.

Registrant FAX

Registrant FAX Ext.

Registrant Email
cy@bk.ru

[..snip..]

Name Server
ns1.mbhost.ru
Name Server
ns2.mbhost.ru

The domain itself is on 80.90.114.13 which appears to be a general purpose server belonging to Smartlogic Ltd in Moscow. There's no evidence to connect Smartlogic to this site, other than it belongs to a customer.. overall they seem to be a pretty clean outfit.

Visiting the top level of the h3x.info site (or the index.php page) reveals a very impressive bit of obfuscated scripting (a copy is here - h3x-info.zip - ZIP password is virus). There are some recognisable references to Outlook Express, Snapshot (probably MS08-041), Apple QuickTime (take your pick), plus an infected PDF (from hxxp:||h3x.info|cache|doc.pdf) variously identified as Exploit.HTML.Agent.AO [BitDefender] and Mal/JSShell-B [Sophos] (full VirusTotal report here) but otherwise detection rates are very poor.

Looking at the WHOIS history, it's quite possible that the h3x.info domain has been hijacked, so perhaps it will be cleaned up in the future. At the moment it does seem to be an interesting repository of malware if you're a researcher.

It was only active for a short while at about 1000 UTC (1100 BST, 1200 CET) on 23rd September before reverting to the same .ru domains that have been active for a few days.

Asprox: mnbenio.ru

mnbenio.ru is a new Asprox SQL injection domain that has been active in the past 24 hours, the following four domains are the most active:

• mnbenio.ru
• mnicbre.ru
• pkseio.ru
• vtg43.ru

It does seem that the SQL injection attacks are becoming less widespread, probably partly because SQL servers are being hardened, but some vulnerable SQL servers have remained untouched by the latest round of attacks. Possibly the SQL injection gangs are concentrating on bigger fish? Like the recent attack on BusinessWeek.com perhaps?

Asprox: mnicbre.ru, pkseio.ru and vtg43.ru

The domains used in the Asprox SQL Injection attacks have been stable for a few days now, but yesterday some new .ru domains appeared: mnicbre.ru, pkseio.ru and vtg43.ru. The domains are registered through NAUNET again with the following registation details:

domain: MNICBRE.RU
type: CORPORATE
nserver: ns2.mnicbre.ru. 75.181.3.122
nserver: ns3.mnicbre.ru. 68.197.137.239
nserver: ns1.mnicbre.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 772 7727091
fax-no: +7 772 7727091
e-mail: retyi1111@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.09.16
paid-till: 2009.09.16
source: TC-RIPN

The following domains have been active over the past 24 hours. Block these or check your logs for them (new ones are in bold):

• 22net.ru
• 64asp.ru
• 92prt.ru
• acr34.ru
• asl39.ru
• fst9.ru
• mnicbre.ru
• pkseio.ru
• sel92.ru
• vtg43.ru

Asprox: net83.ru, acr34.ru, asl39.ru and net83.ru

Another bunch of very fresh Asprox domains being used in the Asprox SQL Injection attack, registered at Naunet to email address retyi111@yahoo.com. Check your logs or block access to these sites.

• 51com.ru
• acr34.ru
• asl39.ru
• net83.ru

Asprox: 64do.com

Possibly the final Asprox domain on the day in 64do.com - add this to your block or scan list.

Asprox: "aspx" domains

Keep an eye out for these following Asprox domains, all recently registered to the email address druid00091@aol.com. Block them or scan your logs for them.

• 24aspx.com
• 2aspx.net
• 6aspx.com
• 9aspx.net
• aspx46.com

These domains follow the same pattern as this one and this one.

Asprox: 19ssl.net

Another "druid00091@aol.com" domain (following on from this one and this one) , this type 19ssl.net, which is being actively used as part of the SQL injection attacks. The top level of this domain also has a copy of the (presumably legitimate) nescodirect.com site (this behavious is noted elsewhere).

Domain name: 19ssl.net

Registrant Contact:
City22 llc
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Administrative Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Technical Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Billing Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

DNS:
ns1.19ssl.net
ns2.19ssl.net
ns3.19ssl.net

Asprox: 24aspx.com

The latest domain name used in the recent Asprox SQL Injection attacks appears to be 24aspx.com. Perhaps the Asprox guys are boasting a little with the domain name? Certainly these SQL injection attacks still seem to serve a useful purpose for them, although the number of vulnerable servers keeps dropping. Anyway, block this one or check your logs for it.

The email addressed used to register this domain is identical to the one used for the "Luksus Jobs" scam email. No big news here, the Asprox botnet is used for a wide variety of things, it's just odd to see druid00091@aol.com come up twice in such a short period.

It's also notable that they've switched back to .com from .ru, but this time registered through Chinese registrar BIZCN.COM.

Domain name: 24aspx.com

Registrant Contact:
City22 llc
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Administrative Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Technical Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Billing Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

DNS:
ns1.24aspx.com
ns2.24aspx.com
ns3.24aspx.com

Created: 2008-09-06
Expires: 2009-09-06

"Job Opportunity at Luksus" / luksus-jobs.org scam

Luksus Media is a wholly legitimate Finnish company, but this attempt to recruit a money mule does not come from Luksus, just from a company trying to trade on its name.

This scam is being run by the same people behind the Asprox SQL injection attacks that have been doing to rounds (more information after the email).

---

Subject: Job Opportunity at Luksus

We have reviewed your resume and would like to introduce you to our
current vacancy.
Luksus, with headquarters in Helsinki, Finland, serves the luxury
lifestyle and offers unparalleled access to the finest luxury
goods. We offer a unique mix of brands, partnerships, and product
expertise. We are currently hiring, work at home positions, to
provide administrative assistance with sales in North America.
Candidates for the job should possess excellent organizational
skills as well as the ability to efficiently multi-task. Ideal
candidates have a strong focus on day-to-day operational
excellence. The candidate should be motivated, proactive, be able
to learn and adapt quickly.

Other duties include, but are not limited to:

* Incorporating effective priorities for the virtual office function
* Administer day-to-day financial responsibilities for clients
* Reporting online daily
* Preparing brief summary reports, and weekly financial reports

Salary part-time (3 hours per day, Monday-Friday): $1,200/month,
plus commission.

If you are interested in this position please send us an email to
Sandra.Collins@luksus-jobs.org expressing your interest and we will
forward you the detailed job description and the working agreement.

Thank You,
Luksus Team

---

Normally, WHOIS data is pretty useless, but sometimes the email address can give a clue:

Domain ID: D153950800-LROR
Domain Name: LUKSUS-JOBS.ORG
Created On: 28-Aug-2008 11: 34: 57 UTC
Last Updated On: 28-Aug-2008 14: 23: 25 UTC
Expiration Date: 28-Aug-2009 11: 34: 57 UTC
Sponsoring Registrar: Bizcn.com, Inc. (R1248-LROR)
Status: CLIENT TRANSFER PROHIBITED
Status: TRANSFER PROHIBITED
Registrant ID: orgfm19923291709
Registrant Name: Fero Muia
Registrant Organization: Fero Muia
Registrant Street1: 3213 po box
Registrant Street2:
Registrant Street3:
Registrant City: New York
Registrant State/Province: NY
Registrant Postal Code: 12310
Registrant Country: US
Registrant Phone: +1.9917721121
Registrant Phone Ext.:
Registrant FAX: +1.9917721121
Registrant FAX Ext.:
Registrant Email: druid00091@aol.com
Admin ID: orgfm19923292728
Admin Name: Fero Muia
Admin Organization: Fero Muia
Admin Street1: 3213 po box
Admin Street2:
Admin Street3:
Admin City: New York
Admin State/Province: NY
Admin Postal Code: 12310
Admin Country: US
Admin Phone: +1.9917721121
Admin Phone Ext.:
Admin FAX: +1.9917721121
Admin FAX Ext.:
Admin Email: druid00091@aol.com
Tech ID: orgfm19923293349
Tech Name: Fero Muia
Tech Organization: Fero Muia
Tech Street1: 3213 po box
Tech Street2:
Tech Street3:
Tech City: New York
Tech State/Province: NY
Tech Postal Code: 12310
Tech Country: US
Tech Phone: +1.9917721121
Tech Phone Ext.:
Tech FAX: +1.9917721121
Tech FAX Ext.:
Tech Email: druid00091@aol.com
Name Server: NS1.RELEASEBPB.COM
Name Server: NS2.RELEASEBPB.COM

druid00091@aol.com is an address being used to register today's latest SQL injection domains too, proving that they are linked. releasebpb.com is a set of name servers which are only associated with malware domains, ns1.releasebpb.com is on 194.150.120.47 on ns2.releasebpb.com is on 20.31.85.15.

This type of fraud doesn't use a website to entice people, but it is looking for an email response. In this case, email is delivered to mx.luksus-jobs.org on 12.192.82.225 which is on the AT&T network.

It's hard to tell which of these IPs are part of the Asprox botnet and which ones are rented (usually with fake credit card details). Nonetheless, it gives a glimpse into just how large and efficient these operations can be.

Asprox: jic2.ru

Another new addition to the list of Asprox domains is jic2.ru, again registered via Naunet, so block this or check your logs for access. Again, searching your logs for ".ru/script.js"will help locate suspect activity.

Asprox: 2b24.ru

These domains seem to be today's current Asprox SQL Injection domains - check for them in your logs or block them. 2b24.ru seems to be new, the rest have been around for a few days. The exploit is still using a script called script.js to run.

• 2b24.ru
• cg33.ru
• cv2e.ru
• cv32.ru
• mc2n.ru
• mj5f.ru
• oc32.ru
• vwsc.ru

Asprox: cg33.ru, cv2e.ru, cv32.ru, mc2n.ru, oc32.ru and vwsc.ru

Another bunch of Asprox SQL injection domains to block or monitor for, all quite new:

• cg33.ru
• cv2e.ru
• cv32.ru
• mc2n.ru
• oc32.ru
• vwsc.ru

Alternatively, look for .ru/script.js in your logs which should pick up most of them.

Update: here's another one - mj5f.ru

Asprox: beyry.ru, iopoe.ru, jetp6.ru, nucop.ru, port04.ru and vj64.ru

There's been a slight shift in the characteristics of the current Asprox attack. The javascript called is now script.js rather than ngg.js or js.js, and this goes to a redirect script currently pointing at /cgi-bin/index.cgi?lle on the local domain.

Active domains in this new attack seem to be as follows, new ones are in bold.

• beyry.ru
• cb3f.ru
• cnld.ru
• iopc4.ru
• iopoe.ru
• jetp6.ru
• loopk.ru
• netr2.ru
• okcd.ru
• nucop.ru
• port04.ru
• ueur3.ru
• vj64.ru

Check your logs or block these domains. Most business outside of Russia and neighbouring countries could probably block the entire .ru TLD with minimal impact. Look also for the CGI sript (/cgi-bin/index.cgi?lle) to find potentially infected client PCs.

Asprox: iopc4.ru, jetp6.ru, loopk.ru, netr2.ru and ueur3.ru

The domains used is the Asprox SQL injection attack have been stable for most of the past week, but over the last 24 hours some ne wdomains have been registed, so check your logs and/or block the following:

• iopc4.ru
• jetp6.ru
• loopk.ru
• netr2.ru
• ueur3.ru

It is likely that some more will turn up during the course of the day.

Asprox: ujnc.ru

Just a single new Asprox domain to list this morning: ujnc.ru which is still using the js.js redirector, i.e. www.ujnc.ru/js.js. All the domains from the past two days are still active too.

Asprox: 3njx.ru, cb3f.ru, cnld.ru, nbh3.ru and okcd.ru

Some more Asprox domains to block or look for in your logs:

• 3njx.ru
• cb3f.ru
• cnld.ru
• nbh3.ru
• okcd.ru

Renewed Asprox activity: bcus2.ru, jkn3.ru, juc8.ru and locm.ru

After a quiet few days, Asprox seems to have flared up again (at about 1000 CET) with a new set of malware domains, still launching from a SQL injected js.js file on compromised hosts. Keep an eye out for these domains or block them.

These domains are all very recently registered through naunet.ru, there are probably many more on the way soon.

• bcus2.ru
• jkn3.ru
• juc8.ru
• locm.ru

All quiet on the Asprox front?

For the moment the Asprox SQL injection attacks seem to have stopped, although infected sites are still infected and need to be secured as soon as possible.

So, does this mean that the bad guys have given up? Well, no.. but there are probably thousands of sites out there which are still infected, so from that point of view they will still be getting "hits" to their malware sites.

Perhaps the answer is this - the people behind the SQL injection attacks are doing something else. Two very newsworthy events happening over the past few days have been the war in Georgia and the Beijing Olympics. Dancho Danchev reports that the RBN have been actively involved in attacking Georgian sites, including using SQL injection attacks. F-Secure report that Chinese sites have been attacked since the run-up to the Olympics started.

It might well be that these Asprox attacks will be quiet for a couple of weeks, but it is likely that general SQL injection attacks will ramp up again soon.

Asprox: block 91.203.93.4 and js.js

A shift in behaviour from the Asprox botnet - this time all traffic from infected sites is being redirected through a fixed IP at 91.203.93.4. Blocking 91.203.93.0/24 will probably do no harm.

Also, the name of the javascript file has changed to js.js, so look for this in your logs.

The Silent Noise blog is tracking Asprox domains too, with some interesting developments that we haven't had the chance to dig deeper into.

Asprox domains: 5/8/08

Current Asprox domains to look for in your blogs or block. These have all been active for 3 or 4 days now, which is an unusually long time for this current SQL injection attack.

• 8hcs.ru
• 98hs.ru
• bgsr.ru
• bywd.ru
• ibse.ru
• ncbw.ru
• nwj4.ru
• ojns.ru
• porv.ru
• uhwc.ru

Asprox domains: 2/8/07

These are the currently active Asprox domains to check for. They are all very recently registrations.

• 8hcs.ru
• 98hs.ru
• bgsr.ru
• bywd.ru
• ibse.ru
• ncbw.ru
• nwj4.ru
• ojns.ru
• porv.ru
• uhwc.ru

Asprox domains: 29/7/08

These are this morning's active Asprox domains. New ones are in bold.

• b4so.ru
• bce8.ru
• bjxt.ru
• bnsr.ru
• bosf.ru
• bsko.ru
• ch35.ru
• gty5.ru
• iroe.ru
• jve4.ru
• kj5s.ru
• kjwd.ru
• kpo3.ru
• kr92.ru
• ncb2.ru
• ncwc.ru
• nemr.ru
• njep.ru
• nmr43.ru
• oics.ru
• pfd2.ru
• po4c.ru

Asprox domains: 28/7/08

These seem to be the current Asprox domains to block or check for. New ones are in bold.

• bs04.ru
• bce8.ru
• bjxt.ru
• bnsr.ru
• bosf.ru
• bsko.ru
• ch35.ru
• iroe.ru
• jve4.ru
• kjwd.ru
• kodj.ru
• kpo3.ru
• kr92.ru
• ncb2.ru
• ncwc.ru
• nemr.ru
• nmr43.ru
• oics.ru
• pfd2.ru
• po4c.ru

ngg.js still seems to be the name of the javascript file injected into compromised hosts.

Asprox domains: 25/7/08

These domains seem to be active today, new ones in bold.

• bce8.ru
• ch35.ru
• iroe.ru
• jve4.ru
• kjwd.ru
• kodj.ru
• kpo3.ru
• kr92.ru
• ncwc.ru
• nemr.ru
• nmr43.ru
• pfd2.ru
• po4c.ru

One oddity - the URL zvz.cc/forums/8L0/join.upq has been spotted as a redirector for these Javascript exploits. Google list zvz.cc that as a malware infected site, it is hard to tell though if this is just another victim or part of the C&C for the botnet. For the record, these are the WHOIS details.. but they might not mean very much.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ZVZ.CC

Registrant:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Creation Date: 09-Apr-2008
Expiration Date: 09-Apr-2009

Domain servers in listed order:
ns2.zvz.cc
ns1.zvz.cc

Administrative Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Technical Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Billing Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Status:ACTIVE

Asprox: jve4.ru, nmr43.ru and po4c.ru

Three new Asprox domains that have gone live in the past few hours, probably some more on the way. Either block these or check your logs if you are a network admin.

• jve4.ru
• nmr43.ru
• po4c.ru

Asprox domains: 23/7/08 - Part II

Just a couple more to add:

• cgt4.ru
• kc43.ru

Asprox domains: 23/7/08

A shift in domains used by the Asprox crew - these new domains are all in the .ru TLD and are registered via NauNet (contact details here). ngg.js is still the name of the Javascript file to look for, I suspect that vrcgoo.js might be a new name to keep an eye out for too.

• 4cnw.ru
• 4vrs.ru
• 5kc3.ru
• 90mc.ru
• 9jsr.ru
• bts5.ru
• chds.ru
• cvsr.ru
• d5sg.ru
• ecx2.ru
• gb53.ru
• h23f.ru
• jex5.ru
• jvke.ru
• keec.ru
• keje.ru
• kgj3.ru
• lkc2.ru
• lksr.ru

For most organisations, blocking the entire .ru TLD will probably do no harm as these are usually always Russian language sites.

Asprox domains: 16/7/08

The following Asprox SQL Injection domains appear to be active today. New ones are in bold.

• adwnetw.com
• adpzo.com
• ausbnr.com
• brcporb.ru
• btoperc.ru
• cdport.eu
• cdrpoex.com
• gbradde.tk
• grtsel.ru
• korfd.ru
• movaddw.com
• tctcow.com
• usabnr.com

ngg.js still seems to be the name of the script file. Block these sites and/or check your logs.

Asprox domains: 15/7/08

Another bunch of Asprox SQL Injection domains, new ones are in bold.

• adpzo.com
• adwnetw.com
• ausbnr.com
• bkpadd.mobi
• butdrv.com
• cdport.eu
• cdrpoex.com
• cliprts.com
• gbradde.tk
• gbradp.com
• gitporg.com
• hdrcom.com
• loopadd.com
• movaddw.com
• nopcls.com
• porttw.mobi
• pyttco.com
• tctcow.com
• tertad.mobi
• usabnr.com

These are still using ngg.js in the injected code.

Asprox domains: 10/7/08

These seem to be the currently active Asprox SQL Injection domains to block or check for. New ones are in bold.

• adwnetw.com
• ausadd.com
• ausbnr.com
• bnsdrv.com
• butdrv.com
• cdrpoex.com
• crtbond.com
• destad.mobi
  
• destbnp.com
• drvadw.com
• gbradw.com
• loopadd.com
• movaddw.com
• nopcls.com
• porttw.mobi
• pyttco.com
  
• tertad.mobi
  
• usaadw.com
• usabnr.com

No prizes for guessing that Vivids Media GmbH handled the registrations.

Two more new ones as well:

• bkpadd.mobi
• tctcow.com

Asprox domains: 9/7/08

Another shift in the Asprox SQL Injection domains, still registered with Vivids Media GmbH. As ever, check your logs or block them.

• adwnetw.com
• ausadd.com
• ausbnr.com
• bnsdrv.com
• butdrv.com
• cdrpoex.com
• cliprts.com
• crtbond.com
• destbnp.com
• drvadw.com
• gbradp.com
• gbradw.com
• hdrcom.com
• loopadd.com
• movaddw.com
• nopcls.com
• tctcow.com
• usaadp.com
• usaadw.com
• usabnr.com

Asprox domains: 7/7/08 and another SQL Injection mitigation article

Another batch of Asprox domains are active today - it also seems that those from 3rd July are still running too. I advise that you check your logs for these or block them:

• adbtch.com
• aladbnr.com
• allocbn.mobi
• adwadb.mobi
• apidad.com
• appdad.com
• asodbr.com
• asslad.com
• blcadw.com
• blockkd.com
• bnradd.mobi
• bnrbase.com
• bnrbasead.com
• bnrbtch.com
• browsad.com
• brsadd.com
• canclvr.com
• catdbw.mobi
• clrbbd.com
• dbgbron.com
• ktrcom.com
• loctenv.com
• lokriet.com
• mainadt.com
• mainbvd.com
• portadrd.com
• portwbr.com
• stiwdd.com
• ucomddv.com
• upcomd.com

If you're looking at ways of protecting your server against these SQL injection attacks, then Sophos has a blog entry called Avoiding SQL injection attacks which looks like a good starting point.

Asprox domains: 3/7/08 and ngg.js

The Asprox domains used in the current round of SQL Injection attacks have shifted again, the ones to check for or block are:

• adwadb.mobi
• allocbn.mobi
• canclvr.com
• catdbw.mobi
• ktrcom.com
• lokriet.com
• mainbvd.com
• portwbr.com
• stiwdd.com
• testwvr.com
  
• upcomd.com
• ucomddv.com
  

The malicious javascript file has also changed to ngg.js (usually it is b.js or m.js or similar). If you're using Google Alerts or similar to monitor your own site or sites of interest, you might want to change the search string to something like "script src=http:" .js site:oceanic-air.com (replace the domain name with the site you want to monitor).

Asprox domains: 2/7/08

These seem to be the currently active domains used in the Asprox SQL Injection attack. Registrar of choice at the moment is Vivids Media GMBH (if they really exist) via Directi Internet Solutions (publicdomainregistry.com).

• adupd.mobi
• adwste.mobi
• bnrupdate.mobi
• cntrl62.com
• config73.com
• cont67.com
• csl24.com
• debug73.com
• default37.com
• get49.net
• pid72.com
• pid76.net
• web923.com

Best advice to to block access to these sites and check your logs.

Asprox: new domains including .mobi

Another set of domains used in the Asprox SQL Injection attack: bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adwsupp.com,supbnr.com, suppadw.com, dl251.com, aspx49.com, kadport.com, tid62.com, and batch29.com.

It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.

Asprox: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com

Another bunch of domains coming up in the latest batch of Asprox SQL Injection attacks: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com - check your logs for these.