Asprox: beyry.ru, iopoe.ru, jetp6.ru, nucop.ru, port04.ru and vj64.ru

There's been a slight shift in the characteristics of the current Asprox attack. The javascript called is now script.js rather than ngg.js or js.js, and this goes to a redirect script currently pointing at /cgi-bin/index.cgi?lle on the local domain.

Active domains in this new attack seem to be as follows, new ones are in bold.

• beyry.ru
• cb3f.ru
• cnld.ru
• iopc4.ru
• iopoe.ru
• jetp6.ru
• loopk.ru
• netr2.ru
• okcd.ru
• nucop.ru
• port04.ru
• ueur3.ru
• vj64.ru

Check your logs or block these domains. Most business outside of Russia and neighbouring countries could probably block the entire .ru TLD with minimal impact. Look also for the CGI sript (/cgi-bin/index.cgi?lle) to find potentially infected client PCs.

Asprox: iopc4.ru, jetp6.ru, loopk.ru, netr2.ru and ueur3.ru

The domains used is the Asprox SQL injection attack have been stable for most of the past week, but over the last 24 hours some ne wdomains have been registed, so check your logs and/or block the following:

• iopc4.ru
• jetp6.ru
• loopk.ru
• netr2.ru
• ueur3.ru

It is likely that some more will turn up during the course of the day.

Asprox: ujnc.ru

Just a single new Asprox domain to list this morning: ujnc.ru which is still using the js.js redirector, i.e. www.ujnc.ru/js.js. All the domains from the past two days are still active too.

Asprox: 3njx.ru, cb3f.ru, cnld.ru, nbh3.ru and okcd.ru

Some more Asprox domains to block or look for in your logs:

• 3njx.ru
• cb3f.ru
• cnld.ru
• nbh3.ru
• okcd.ru

Renewed Asprox activity: bcus2.ru, jkn3.ru, juc8.ru and locm.ru

After a quiet few days, Asprox seems to have flared up again (at about 1000 CET) with a new set of malware domains, still launching from a SQL injected js.js file on compromised hosts. Keep an eye out for these domains or block them.

These domains are all very recently registered through naunet.ru, there are probably many more on the way soon.

• bcus2.ru
• jkn3.ru
• juc8.ru
• locm.ru

All quiet on the Asprox front?

For the moment the Asprox SQL injection attacks seem to have stopped, although infected sites are still infected and need to be secured as soon as possible.

So, does this mean that the bad guys have given up? Well, no.. but there are probably thousands of sites out there which are still infected, so from that point of view they will still be getting "hits" to their malware sites.

Perhaps the answer is this - the people behind the SQL injection attacks are doing something else. Two very newsworthy events happening over the past few days have been the war in Georgia and the Beijing Olympics. Dancho Danchev reports that the RBN have been actively involved in attacking Georgian sites, including using SQL injection attacks. F-Secure report that Chinese sites have been attacked since the run-up to the Olympics started.

It might well be that these Asprox attacks will be quiet for a couple of weeks, but it is likely that general SQL injection attacks will ramp up again soon.

Asprox: block 91.203.93.4 and js.js

A shift in behaviour from the Asprox botnet - this time all traffic from infected sites is being redirected through a fixed IP at 91.203.93.4. Blocking 91.203.93.0/24 will probably do no harm.

Also, the name of the javascript file has changed to js.js, so look for this in your logs.

The Silent Noise blog is tracking Asprox domains too, with some interesting developments that we haven't had the chance to dig deeper into.

Asprox domains: 5/8/08

Current Asprox domains to look for in your blogs or block. These have all been active for 3 or 4 days now, which is an unusually long time for this current SQL injection attack.

• 8hcs.ru
• 98hs.ru
• bgsr.ru
• bywd.ru
• ibse.ru
• ncbw.ru
• nwj4.ru
• ojns.ru
• porv.ru
• uhwc.ru

Asprox domains: 2/8/07

These are the currently active Asprox domains to check for. They are all very recently registrations.

• 8hcs.ru
• 98hs.ru
• bgsr.ru
• bywd.ru
• ibse.ru
• ncbw.ru
• nwj4.ru
• ojns.ru
• porv.ru
• uhwc.ru

Asprox domains: 29/7/08

These are this morning's active Asprox domains. New ones are in bold.

• b4so.ru
• bce8.ru
• bjxt.ru
• bnsr.ru
• bosf.ru
• bsko.ru
• ch35.ru
• gty5.ru
• iroe.ru
• jve4.ru
• kj5s.ru
• kjwd.ru
• kpo3.ru
• kr92.ru
• ncb2.ru
• ncwc.ru
• nemr.ru
• njep.ru
• nmr43.ru
• oics.ru
• pfd2.ru
• po4c.ru

Asprox domains: 28/7/08

These seem to be the current Asprox domains to block or check for. New ones are in bold.

• bs04.ru
• bce8.ru
• bjxt.ru
• bnsr.ru
• bosf.ru
• bsko.ru
• ch35.ru
• iroe.ru
• jve4.ru
• kjwd.ru
• kodj.ru
• kpo3.ru
• kr92.ru
• ncb2.ru
• ncwc.ru
• nemr.ru
• nmr43.ru
• oics.ru
• pfd2.ru
• po4c.ru

ngg.js still seems to be the name of the javascript file injected into compromised hosts.

Asprox domains: 25/7/08

These domains seem to be active today, new ones in bold.

• bce8.ru
• ch35.ru
• iroe.ru
• jve4.ru
• kjwd.ru
• kodj.ru
• kpo3.ru
• kr92.ru
• ncwc.ru
• nemr.ru
• nmr43.ru
• pfd2.ru
• po4c.ru

One oddity - the URL zvz.cc/forums/8L0/join.upq has been spotted as a redirector for these Javascript exploits. Google list zvz.cc that as a malware infected site, it is hard to tell though if this is just another victim or part of the C&C for the botnet. For the record, these are the WHOIS details.. but they might not mean very much.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ZVZ.CC

Registrant:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Creation Date: 09-Apr-2008
Expiration Date: 09-Apr-2009

Domain servers in listed order:
ns2.zvz.cc
ns1.zvz.cc

Administrative Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Technical Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Billing Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Status:ACTIVE

Asprox: jve4.ru, nmr43.ru and po4c.ru

Three new Asprox domains that have gone live in the past few hours, probably some more on the way. Either block these or check your logs if you are a network admin.

• jve4.ru
• nmr43.ru
• po4c.ru

Asprox domains: 23/7/08 - Part II

Just a couple more to add:

• cgt4.ru
• kc43.ru

Asprox domains: 23/7/08

A shift in domains used by the Asprox crew - these new domains are all in the .ru TLD and are registered via NauNet (contact details here). ngg.js is still the name of the Javascript file to look for, I suspect that vrcgoo.js might be a new name to keep an eye out for too.

• 4cnw.ru
• 4vrs.ru
• 5kc3.ru
• 90mc.ru
• 9jsr.ru
• bts5.ru
• chds.ru
• cvsr.ru
• d5sg.ru
• ecx2.ru
• gb53.ru
• h23f.ru
• jex5.ru
• jvke.ru
• keec.ru
• keje.ru
• kgj3.ru
• lkc2.ru
• lksr.ru

For most organisations, blocking the entire .ru TLD will probably do no harm as these are usually always Russian language sites.

Asprox domains: 16/7/08

The following Asprox SQL Injection domains appear to be active today. New ones are in bold.

• adwnetw.com
• adpzo.com
• ausbnr.com
• brcporb.ru
• btoperc.ru
• cdport.eu
• cdrpoex.com
• gbradde.tk
• grtsel.ru
• korfd.ru
• movaddw.com
• tctcow.com
• usabnr.com

ngg.js still seems to be the name of the script file. Block these sites and/or check your logs.

Asprox domains: 15/7/08

Another bunch of Asprox SQL Injection domains, new ones are in bold.

• adpzo.com
• adwnetw.com
• ausbnr.com
• bkpadd.mobi
• butdrv.com
• cdport.eu
• cdrpoex.com
• cliprts.com
• gbradde.tk
• gbradp.com
• gitporg.com
• hdrcom.com
• loopadd.com
• movaddw.com
• nopcls.com
• porttw.mobi
• pyttco.com
• tctcow.com
• tertad.mobi
• usabnr.com

These are still using ngg.js in the injected code.

Asprox domains: 10/7/08

These seem to be the currently active Asprox SQL Injection domains to block or check for. New ones are in bold.

• adwnetw.com
• ausadd.com
• ausbnr.com
• bnsdrv.com
• butdrv.com
• cdrpoex.com
• crtbond.com
• destad.mobi
  
• destbnp.com
• drvadw.com
• gbradw.com
• loopadd.com
• movaddw.com
• nopcls.com
• porttw.mobi
• pyttco.com
  
• tertad.mobi
  
• usaadw.com
• usabnr.com

No prizes for guessing that Vivids Media GmbH handled the registrations.

Two more new ones as well:

• bkpadd.mobi
• tctcow.com

Asprox domains: 9/7/08

Another shift in the Asprox SQL Injection domains, still registered with Vivids Media GmbH. As ever, check your logs or block them.

• adwnetw.com
• ausadd.com
• ausbnr.com
• bnsdrv.com
• butdrv.com
• cdrpoex.com
• cliprts.com
• crtbond.com
• destbnp.com
• drvadw.com
• gbradp.com
• gbradw.com
• hdrcom.com
• loopadd.com
• movaddw.com
• nopcls.com
• tctcow.com
• usaadp.com
• usaadw.com
• usabnr.com

Asprox domains: 7/7/08 and another SQL Injection mitigation article

Another batch of Asprox domains are active today - it also seems that those from 3rd July are still running too. I advise that you check your logs for these or block them:

• adbtch.com
• aladbnr.com
• allocbn.mobi
• adwadb.mobi
• apidad.com
• appdad.com
• asodbr.com
• asslad.com
• blcadw.com
• blockkd.com
• bnradd.mobi
• bnrbase.com
• bnrbasead.com
• bnrbtch.com
• browsad.com
• brsadd.com
• canclvr.com
• catdbw.mobi
• clrbbd.com
• dbgbron.com
• ktrcom.com
• loctenv.com
• lokriet.com
• mainadt.com
• mainbvd.com
• portadrd.com
• portwbr.com
• stiwdd.com
• ucomddv.com
• upcomd.com

If you're looking at ways of protecting your server against these SQL injection attacks, then Sophos has a blog entry called Avoiding SQL injection attacks which looks like a good starting point.

Asprox domains: 3/7/08 and ngg.js

The Asprox domains used in the current round of SQL Injection attacks have shifted again, the ones to check for or block are:

• adwadb.mobi
• allocbn.mobi
• canclvr.com
• catdbw.mobi
• ktrcom.com
• lokriet.com
• mainbvd.com
• portwbr.com
• stiwdd.com
• testwvr.com
  
• upcomd.com
• ucomddv.com
  

The malicious javascript file has also changed to ngg.js (usually it is b.js or m.js or similar). If you're using Google Alerts or similar to monitor your own site or sites of interest, you might want to change the search string to something like "script src=http:" .js site:oceanic-air.com (replace the domain name with the site you want to monitor).

Asprox domains: 2/7/08

These seem to be the currently active domains used in the Asprox SQL Injection attack. Registrar of choice at the moment is Vivids Media GMBH (if they really exist) via Directi Internet Solutions (publicdomainregistry.com).

• adupd.mobi
• adwste.mobi
• bnrupdate.mobi
• cntrl62.com
• config73.com
• cont67.com
• csl24.com
• debug73.com
• default37.com
• get49.net
• pid72.com
• pid76.net
• web923.com

Best advice to to block access to these sites and check your logs.

Asprox: new domains including .mobi

Another set of domains used in the Asprox SQL Injection attack: bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adwsupp.com,supbnr.com, suppadw.com, dl251.com, aspx49.com, kadport.com, tid62.com, and batch29.com.

It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.

Asprox: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com

Another bunch of domains coming up in the latest batch of Asprox SQL Injection attacks: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com - check your logs for these.