Asprox: deryv.ru still active

The Asprox botnet is still active but has been remarkable stable with no new domains in the past week, and 88% of the traffic going to deryv.ru.

• ctiry.ru (3%)
• deryv.ru (88%)
• mentoe.ru (4%)
• mheop.ru (3%)
• pormce.ru (2%)

Consistently, the malware code is encrypted with eval(function(p,a,c,k,e,d) presumably to avoid detection by anti-virus software. So, if you only check your logs for / block ONE Asprox domain, then deryv.ru seems to be the one to look at.

Asprox: ctiry.ru, deryv.ru, mentoe.ru, mheop.ru, pormce.ru and xenbv.ru

Another bunch of Asprox domains that have been active over the past few days are listed below. As usual, block these or check your logs for activity.

• ctiry.ru
• deryv.ru
• mentoe.ru
• mheop.ru
• pormce.ru
• xenbv.ru

Asprox: "eval(function(p,a,c,k,e,r)"

There has been a slight shift in tactics by the Asprox gang in their SQL Injection Attacks in that they are now using a packer on their javascript. This doesn't seem to be for obfuscation reasons, as the script is relatively easy to decode. Presumably it's a way to get around virus and link scanners. (Click the image below for an example)

You can decode it easily enough by adding eval=alert; to the start of the script (follow the instructions here), but never mess around with malware scripts on a vulnerable production system because it is very easy to get infected.

mnicbre.ru and vtg43.ru seem to be two active domains, although perhaps check for all the ones on this list to be safe.

Packing tools are an easy way to avoid detection.. at least temporarily. But given the prevalence
of Javascript-based malware and the ever-increasing availability of bandwidth, Javascript packing is becoming an increasingly bad practice. There have been a couple of high-profile cases where a packing tool has effectively been blacklisted by anti-virus products (here and here), so perhaps if you use Javascript extensive and use a packing tool you might want to reconsider how you deploy Javascript on your site.

Asprox: h3x.info

Briefly popping up on the Asprox SQL Injection radar yesterday was h3x.info, specifically a call to h3x.info/index.php [dangerous site, do not visit].

h3x.info doesn't fit the normal pattern, perhaps it has been rotated in as a test. What's certain is that this is a malware distribution site.. and a pretty scary one at that.

Let's look at the domain details first of all. As you might expect, they're mostly bogus:

Domain ID
D23859712-LRMS
Domain Name
H3X.INFO
Created On
19-Feb-2008 22:04:56 UTC
Last Updated On
27-Aug-2008 12:38:06 UTC
Expiration Date
19-Feb-2009 22:04:56 UTC
Sponsoring Registrar
Registrar Company, INC (R315-LRMS)
Status
OK
Registrant ID
DI_7764637
Registrant Name
Alex
Registrant Organization
Vteam
Registrant Street1
vol. str. 221-122, 12
Registrant Street2

Registrant Street3

Registrant City
Novie
Registrant State/Province
Aveiro
Registrant Postal Code
19923
Registrant Country
PT
Registrant Phone
+12.56231321
Registrant Phone Ext.

Registrant FAX

Registrant FAX Ext.

Registrant Email
cy@bk.ru

[..snip..]

Name Server
ns1.mbhost.ru
Name Server
ns2.mbhost.ru

The domain itself is on 80.90.114.13 which appears to be a general purpose server belonging to Smartlogic Ltd in Moscow. There's no evidence to connect Smartlogic to this site, other than it belongs to a customer.. overall they seem to be a pretty clean outfit.

Visiting the top level of the h3x.info site (or the index.php page) reveals a very impressive bit of obfuscated scripting (a copy is here - h3x-info.zip - ZIP password is virus). There are some recognisable references to Outlook Express, Snapshot (probably MS08-041), Apple QuickTime (take your pick), plus an infected PDF (from hxxp:||h3x.info|cache|doc.pdf) variously identified as Exploit.HTML.Agent.AO [BitDefender] and Mal/JSShell-B [Sophos] (full VirusTotal report here) but otherwise detection rates are very poor.

Looking at the WHOIS history, it's quite possible that the h3x.info domain has been hijacked, so perhaps it will be cleaned up in the future. At the moment it does seem to be an interesting repository of malware if you're a researcher.

It was only active for a short while at about 1000 UTC (1100 BST, 1200 CET) on 23rd September before reverting to the same .ru domains that have been active for a few days.

Asprox: mnbenio.ru

mnbenio.ru is a new Asprox SQL injection domain that has been active in the past 24 hours, the following four domains are the most active:

• mnbenio.ru
• mnicbre.ru
• pkseio.ru
• vtg43.ru

It does seem that the SQL injection attacks are becoming less widespread, probably partly because SQL servers are being hardened, but some vulnerable SQL servers have remained untouched by the latest round of attacks. Possibly the SQL injection gangs are concentrating on bigger fish? Like the recent attack on BusinessWeek.com perhaps?

Asprox: mnicbre.ru, pkseio.ru and vtg43.ru

The domains used in the Asprox SQL Injection attacks have been stable for a few days now, but yesterday some new .ru domains appeared: mnicbre.ru, pkseio.ru and vtg43.ru. The domains are registered through NAUNET again with the following registation details:

domain: MNICBRE.RU
type: CORPORATE
nserver: ns2.mnicbre.ru. 75.181.3.122
nserver: ns3.mnicbre.ru. 68.197.137.239
nserver: ns1.mnicbre.ru. 76.240.151.177
state: REGISTERED, DELEGATED
person: Private Person
phone: +7 772 7727091
fax-no: +7 772 7727091
e-mail: retyi1111@yahoo.com
registrar: NAUNET-REG-RIPN
created: 2008.09.16
paid-till: 2009.09.16
source: TC-RIPN

The following domains have been active over the past 24 hours. Block these or check your logs for them (new ones are in bold):

• 22net.ru
• 64asp.ru
• 92prt.ru
• acr34.ru
• asl39.ru
• fst9.ru
• mnicbre.ru
• pkseio.ru
• sel92.ru
• vtg43.ru

Asprox: net83.ru, acr34.ru, asl39.ru and net83.ru

Another bunch of very fresh Asprox domains being used in the Asprox SQL Injection attack, registered at Naunet to email address retyi111@yahoo.com. Check your logs or block access to these sites.

• 51com.ru
• acr34.ru
• asl39.ru
• net83.ru

SQL Injection: ave2.cn / %61%76%65%32%2E%63%6E

This SQL Injection attack seems to be aimed at Chinese language sites. The code injected points to http://%61%76%65%32%2E%63%6E which is trivially encoded and is a reference to ave2.cn hosted on 219.129.239.251.

ave2.cn then calls asp-18.cn, asp-12.cn and www.hxg006.cn (all hosted on 219.129.239.251).

Between them, these sites carry a VERY wide variety of exploits, including MS06-014, GLIEDown (for the Baofeng Storm StormPlayer), MS snpvw.Snapshot viewer (Outlook Express), DPClient.Vod (Xunlei Thunder DapPlayer), Flash Player and RealPlayer. There are possibly other exploits mixed in, so I would regard ave2.cn as being VERY dangerous.

Robtex reports the following domains on 219.129.239.251, all of which are probably worth avoiding:

• hs7yue.cn
• hxg008.cn
• jzm015.cn
• doups.cn
• hxg008.cn
• jzm013.cn
• jzm014.cn
• jzm015.cn
• qingfeng01.cn

Asprox: 64do.com

Possibly the final Asprox domain on the day in 64do.com - add this to your block or scan list.

Asprox: "aspx" domains

Keep an eye out for these following Asprox domains, all recently registered to the email address druid00091@aol.com. Block them or scan your logs for them.

• 24aspx.com
• 2aspx.net
• 6aspx.com
• 9aspx.net
• aspx46.com

These domains follow the same pattern as this one and this one.

Asprox: 19ssl.net

Another "druid00091@aol.com" domain (following on from this one and this one) , this type 19ssl.net, which is being actively used as part of the SQL injection attacks. The top level of this domain also has a copy of the (presumably legitimate) nescodirect.com site (this behavious is noted elsewhere).

Domain name: 19ssl.net

Registrant Contact:
City22 llc
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Administrative Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Technical Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Billing Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

DNS:
ns1.19ssl.net
ns2.19ssl.net
ns3.19ssl.net

Asprox: 24aspx.com

The latest domain name used in the recent Asprox SQL Injection attacks appears to be 24aspx.com. Perhaps the Asprox guys are boasting a little with the domain name? Certainly these SQL injection attacks still seem to serve a useful purpose for them, although the number of vulnerable servers keeps dropping. Anyway, block this one or check your logs for it.

The email addressed used to register this domain is identical to the one used for the "Luksus Jobs" scam email. No big news here, the Asprox botnet is used for a wide variety of things, it's just odd to see druid00091@aol.com come up twice in such a short period.

It's also notable that they've switched back to .com from .ru, but this time registered through Chinese registrar BIZCN.COM.

Domain name: 24aspx.com

Registrant Contact:
City22 llc
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Administrative Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Technical Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

Billing Contact:
Alex Williamos druid00091@aol.com
+1.8827721124 fax: +1.8827721124
321113 po box
New York NY 12131
us

DNS:
ns1.24aspx.com
ns2.24aspx.com
ns3.24aspx.com

Created: 2008-09-06
Expires: 2009-09-06

Asprox: jic2.ru

Another new addition to the list of Asprox domains is jic2.ru, again registered via Naunet, so block this or check your logs for access. Again, searching your logs for ".ru/script.js"will help locate suspect activity.

Asprox: 2b24.ru

These domains seem to be today's current Asprox SQL Injection domains - check for them in your logs or block them. 2b24.ru seems to be new, the rest have been around for a few days. The exploit is still using a script called script.js to run.

• 2b24.ru
• cg33.ru
• cv2e.ru
• cv32.ru
• mc2n.ru
• mj5f.ru
• oc32.ru
• vwsc.ru

Asprox: cg33.ru, cv2e.ru, cv32.ru, mc2n.ru, oc32.ru and vwsc.ru

Another bunch of Asprox SQL injection domains to block or monitor for, all quite new:

• cg33.ru
• cv2e.ru
• cv32.ru
• mc2n.ru
• oc32.ru
• vwsc.ru

Alternatively, look for .ru/script.js in your logs which should pick up most of them.

Update: here's another one - mj5f.ru

Asprox: beyry.ru, iopoe.ru, jetp6.ru, nucop.ru, port04.ru and vj64.ru

There's been a slight shift in the characteristics of the current Asprox attack. The javascript called is now script.js rather than ngg.js or js.js, and this goes to a redirect script currently pointing at /cgi-bin/index.cgi?lle on the local domain.

Active domains in this new attack seem to be as follows, new ones are in bold.

• beyry.ru
• cb3f.ru
• cnld.ru
• iopc4.ru
• iopoe.ru
• jetp6.ru
• loopk.ru
• netr2.ru
• okcd.ru
• nucop.ru
• port04.ru
• ueur3.ru
• vj64.ru

Check your logs or block these domains. Most business outside of Russia and neighbouring countries could probably block the entire .ru TLD with minimal impact. Look also for the CGI sript (/cgi-bin/index.cgi?lle) to find potentially infected client PCs.

Asprox: iopc4.ru, jetp6.ru, loopk.ru, netr2.ru and ueur3.ru

The domains used is the Asprox SQL injection attack have been stable for most of the past week, but over the last 24 hours some ne wdomains have been registed, so check your logs and/or block the following:

• iopc4.ru
• jetp6.ru
• loopk.ru
• netr2.ru
• ueur3.ru

It is likely that some more will turn up during the course of the day.

Another SQL injection domain: mo98g.cn

I mentioned some days ago that there seems to be a parallel SQL injection attack to Asprox with all the hallmarks of being Chinese. Over the past day or so, mo98g.cn has appeared on some infected sites (often alongside Asprox) making a call to mo98g.cn/q.js which is hosted on 222.122.128.5 in South Korea.

The back end seems not to be working at present, so maybe the server has been cleaned up. In any case, this is another domain to block or check your logs for.

Asprox: ujnc.ru

Just a single new Asprox domain to list this morning: ujnc.ru which is still using the js.js redirector, i.e. www.ujnc.ru/js.js. All the domains from the past two days are still active too.

Asprox: 3njx.ru, cb3f.ru, cnld.ru, nbh3.ru and okcd.ru

Some more Asprox domains to block or look for in your logs:

• 3njx.ru
• cb3f.ru
• cnld.ru
• nbh3.ru
• okcd.ru

Renewed Asprox activity: bcus2.ru, jkn3.ru, juc8.ru and locm.ru

After a quiet few days, Asprox seems to have flared up again (at about 1000 CET) with a new set of malware domains, still launching from a SQL injected js.js file on compromised hosts. Keep an eye out for these domains or block them.

These domains are all very recently registered through naunet.ru, there are probably many more on the way soon.

• bcus2.ru
• jkn3.ru
• juc8.ru
• locm.ru

All quiet on the Asprox front?

For the moment the Asprox SQL injection attacks seem to have stopped, although infected sites are still infected and need to be secured as soon as possible.

So, does this mean that the bad guys have given up? Well, no.. but there are probably thousands of sites out there which are still infected, so from that point of view they will still be getting "hits" to their malware sites.

Perhaps the answer is this - the people behind the SQL injection attacks are doing something else. Two very newsworthy events happening over the past few days have been the war in Georgia and the Beijing Olympics. Dancho Danchev reports that the RBN have been actively involved in attacking Georgian sites, including using SQL injection attacks. F-Secure report that Chinese sites have been attacked since the run-up to the Olympics started.

It might well be that these Asprox attacks will be quiet for a couple of weeks, but it is likely that general SQL injection attacks will ramp up again soon.

ISC: "More SQL Injections - very active right now"

The Internet Storm Center has published technical details on the Chinese-based SQL injection attack which may be of interest to SQL administrators and programmers and also security specialists. It also flags up another javascript file to look for: csrss/w.js

Keep an eye out for log activity pointing to this file. Blocking the entire .cn TLD will probably do very little harm for most businesses.

Asprox: block 91.203.93.4 and js.js

A shift in behaviour from the Asprox botnet - this time all traffic from infected sites is being redirected through a fixed IP at 91.203.93.4. Blocking 91.203.93.0/24 will probably do no harm.

Also, the name of the javascript file has changed to js.js, so look for this in your logs.

The Silent Noise blog is tracking Asprox domains too, with some interesting developments that we haven't had the chance to dig deeper into.

Asprox domains: 5/8/08

Current Asprox domains to look for in your blogs or block. These have all been active for 3 or 4 days now, which is an unusually long time for this current SQL injection attack.

• 8hcs.ru
• 98hs.ru
• bgsr.ru
• bywd.ru
• ibse.ru
• ncbw.ru
• nwj4.ru
• ojns.ru
• porv.ru
• uhwc.ru

Asprox domains: 2/8/07

These are the currently active Asprox domains to check for. They are all very recently registrations.

• 8hcs.ru
• 98hs.ru
• bgsr.ru
• bywd.ru
• ibse.ru
• ncbw.ru
• nwj4.ru
• ojns.ru
• porv.ru
• uhwc.ru

The SQL Injection war

Dancho Danchev had has some very good writeups on the current round of SQL injection attacks. This post on copycat attacks caught my eye, because it shows that there's more than one crew at work here.

If anything, this situation is likely to get worse. The tools needed to carry out a SQL injection attack are now almost available off-the-shelf, the attacks are obviously financially successful because they have been ongoing now for some months, and enumeration of vulnerable servers can be done through Google or Yahoo if you don't want to bother crawling the web.

Identifying and blocking domains helps, but it isn't a real solution. Most of these attacks are thwarted by a fully patch client (and I do mean all the software on the client, the Secunia Software Inspector can help here or some other decent audit tool). Using Firefox + NoScript is a good idea for the technically savvy. But ultimately, the best way of fighting this is to secure or shut down infected SQL servers. Don't be afraid to use the abuse@ email address where a web site is posing a continuing threat.

Asprox domains: 29/7/08

These are this morning's active Asprox domains. New ones are in bold.

• b4so.ru
• bce8.ru
• bjxt.ru
• bnsr.ru
• bosf.ru
• bsko.ru
• ch35.ru
• gty5.ru
• iroe.ru
• jve4.ru
• kj5s.ru
• kjwd.ru
• kpo3.ru
• kr92.ru
• ncb2.ru
• ncwc.ru
• nemr.ru
• njep.ru
• nmr43.ru
• oics.ru
• pfd2.ru
• po4c.ru

Asprox domains: 28/7/08

These seem to be the current Asprox domains to block or check for. New ones are in bold.

• bs04.ru
• bce8.ru
• bjxt.ru
• bnsr.ru
• bosf.ru
• bsko.ru
• ch35.ru
• iroe.ru
• jve4.ru
• kjwd.ru
• kodj.ru
• kpo3.ru
• kr92.ru
• ncb2.ru
• ncwc.ru
• nemr.ru
• nmr43.ru
• oics.ru
• pfd2.ru
• po4c.ru

ngg.js still seems to be the name of the javascript file injected into compromised hosts.

Asprox domains: 25/7/08

These domains seem to be active today, new ones in bold.

• bce8.ru
• ch35.ru
• iroe.ru
• jve4.ru
• kjwd.ru
• kodj.ru
• kpo3.ru
• kr92.ru
• ncwc.ru
• nemr.ru
• nmr43.ru
• pfd2.ru
• po4c.ru

One oddity - the URL zvz.cc/forums/8L0/join.upq has been spotted as a redirector for these Javascript exploits. Google list zvz.cc that as a malware infected site, it is hard to tell though if this is just another victim or part of the C&C for the botnet. For the record, these are the WHOIS details.. but they might not mean very much.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ZVZ.CC

Registrant:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Creation Date: 09-Apr-2008
Expiration Date: 09-Apr-2009

Domain servers in listed order:
ns2.zvz.cc
ns1.zvz.cc

Administrative Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Technical Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Billing Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Status:ACTIVE

Asprox: jve4.ru, nmr43.ru and po4c.ru

Three new Asprox domains that have gone live in the past few hours, probably some more on the way. Either block these or check your logs if you are a network admin.

• jve4.ru
• nmr43.ru
• po4c.ru

Asprox domains: 23/7/08 - Part II

Just a couple more to add:

• cgt4.ru
• kc43.ru

Asprox domains: 23/7/08

A shift in domains used by the Asprox crew - these new domains are all in the .ru TLD and are registered via NauNet (contact details here). ngg.js is still the name of the Javascript file to look for, I suspect that vrcgoo.js might be a new name to keep an eye out for too.

• 4cnw.ru
• 4vrs.ru
• 5kc3.ru
• 90mc.ru
• 9jsr.ru
• bts5.ru
• chds.ru
• cvsr.ru
• d5sg.ru
• ecx2.ru
• gb53.ru
• h23f.ru
• jex5.ru
• jvke.ru
• keec.ru
• keje.ru
• kgj3.ru
• lkc2.ru
• lksr.ru

For most organisations, blocking the entire .ru TLD will probably do no harm as these are usually always Russian language sites.

Asprox domains: 16/7/08

The following Asprox SQL Injection domains appear to be active today. New ones are in bold.

• adwnetw.com
• adpzo.com
• ausbnr.com
• brcporb.ru
• btoperc.ru
• cdport.eu
• cdrpoex.com
• gbradde.tk
• grtsel.ru
• korfd.ru
• movaddw.com
• tctcow.com
• usabnr.com

ngg.js still seems to be the name of the script file. Block these sites and/or check your logs.

Asprox domains: 15/7/08

Another bunch of Asprox SQL Injection domains, new ones are in bold.

• adpzo.com
• adwnetw.com
• ausbnr.com
• bkpadd.mobi
• butdrv.com
• cdport.eu
• cdrpoex.com
• cliprts.com
• gbradde.tk
• gbradp.com
• gitporg.com
• hdrcom.com
• loopadd.com
• movaddw.com
• nopcls.com
• porttw.mobi
• pyttco.com
• tctcow.com
• tertad.mobi
• usabnr.com

These are still using ngg.js in the injected code.

Asprox domains: 10/7/08

These seem to be the currently active Asprox SQL Injection domains to block or check for. New ones are in bold.

• adwnetw.com
• ausadd.com
• ausbnr.com
• bnsdrv.com
• butdrv.com
• cdrpoex.com
• crtbond.com
• destad.mobi
  
• destbnp.com
• drvadw.com
• gbradw.com
• loopadd.com
• movaddw.com
• nopcls.com
• porttw.mobi
• pyttco.com
  
• tertad.mobi
  
• usaadw.com
• usabnr.com

No prizes for guessing that Vivids Media GmbH handled the registrations.

Two more new ones as well:

• bkpadd.mobi
• tctcow.com

Asprox domains: 9/7/08

Another shift in the Asprox SQL Injection domains, still registered with Vivids Media GmbH. As ever, check your logs or block them.

• adwnetw.com
• ausadd.com
• ausbnr.com
• bnsdrv.com
• butdrv.com
• cdrpoex.com
• cliprts.com
• crtbond.com
• destbnp.com
• drvadw.com
• gbradp.com
• gbradw.com
• hdrcom.com
• loopadd.com
• movaddw.com
• nopcls.com
• tctcow.com
• usaadp.com
• usaadw.com
• usabnr.com

Who are Vivids Media GmbH?

If you have been tracking the latest round of SQL Injection domains, then you might be familiar with the name Vivids Media GMBH as being the current registrar of choice.

The odd thing is that Vivids Media GmbH doesn't appear to have a web site or any traceable contact details. However, most of the domain registrations have a contact telephone number in Berlin of +49.3094413291 and some searching around gives this page with what looks like the correct contact details of:

Name: Vivids Media GmbH
Email Address: support@klikdomains.com
Address: Leege-Gr str. 41
City: Berlin
Zip: 13055
Country : Germany
Tel No.: +49.3094413291

That indicates that Vivid Media GmbH is related to klikdomains.com and therefore klikvip.com which are part of another company that claims to be in Berlin, Klik Media GmbH (some of the alleged goings on of this company are mentioned here). A short step away from Klik are a whole set of domains registered via Estdomains (a familiar name to many) and things start to get seedy from there.

There's no evidence that Vivid Media GmbH is directly invovled in anything bad - in fact there is barely any evidence that Vivid Media GmbH actually exists at all. Spammers and other bad guys do have a knack of finding registrars who are slow at terminating their accounts, so let's be charitable and say that Vivids Media are just understaffed in their abuse department.

The problem is that if you want to contact Vivids Media, then it seems to be very difficult. Their website is 56823.myorderbox.com which is a sort of white label domain registrar site. Myorderbox.com seems to be based in India, and looks to be a reseller of ResellerClub which in turns registers names through PublicDomainRegistry.com.

Complicated? Well, yes.. but ultimately PublicDomainRegistry.com are the registrar and it turns out that there is some light at the end of the tunnel. You will find that most of the domains used in these SQL Injection attacks have false WHOIS data, and you can report false WHOIS data here. Hopefully then the domain will be suspended.. not that it really matters too much because the bad guys will just register some more.

So the answer to the question "who are Vivids Media GmbH?" is "I don't know" but for most practical puporses you wouldn't need to deal with them if complaining about one of these domains, go to the registrar and report it there.

Asprox domains: 7/7/08 and another SQL Injection mitigation article

Another batch of Asprox domains are active today - it also seems that those from 3rd July are still running too. I advise that you check your logs for these or block them:

• adbtch.com
• aladbnr.com
• allocbn.mobi
• adwadb.mobi
• apidad.com
• appdad.com
• asodbr.com
• asslad.com
• blcadw.com
• blockkd.com
• bnradd.mobi
• bnrbase.com
• bnrbasead.com
• bnrbtch.com
• browsad.com
• brsadd.com
• canclvr.com
• catdbw.mobi
• clrbbd.com
• dbgbron.com
• ktrcom.com
• loctenv.com
• lokriet.com
• mainadt.com
• mainbvd.com
• portadrd.com
• portwbr.com
• stiwdd.com
• ucomddv.com
• upcomd.com

If you're looking at ways of protecting your server against these SQL injection attacks, then Sophos has a blog entry called Avoiding SQL injection attacks which looks like a good starting point.

Asprox domains: 3/7/08 and ngg.js

The Asprox domains used in the current round of SQL Injection attacks have shifted again, the ones to check for or block are:

• adwadb.mobi
• allocbn.mobi
• canclvr.com
• catdbw.mobi
• ktrcom.com
• lokriet.com
• mainbvd.com
• portwbr.com
• stiwdd.com
• testwvr.com
  
• upcomd.com
• ucomddv.com
  

The malicious javascript file has also changed to ngg.js (usually it is b.js or m.js or similar). If you're using Google Alerts or similar to monitor your own site or sites of interest, you might want to change the search string to something like "script src=http:" .js site:oceanic-air.com (replace the domain name with the site you want to monitor).

Asprox domains: 2/7/08

These seem to be the currently active domains used in the Asprox SQL Injection attack. Registrar of choice at the moment is Vivids Media GMBH (if they really exist) via Directi Internet Solutions (publicdomainregistry.com).

• adupd.mobi
• adwste.mobi
• bnrupdate.mobi
• cntrl62.com
• config73.com
• cont67.com
• csl24.com
• debug73.com
• default37.com
• get49.net
• pid72.com
• pid76.net
• web923.com

Best advice to to block access to these sites and check your logs.

Asprox: new domains including .mobi

Another set of domains used in the Asprox SQL Injection attack: bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adwsupp.com,supbnr.com, suppadw.com, dl251.com, aspx49.com, kadport.com, tid62.com, and batch29.com.

It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.

Asprox: list of domains and mitigation steps

The folks over at Bloombit Software have a useful article called ASCII Encoded/Binary String Automated SQL Injection Attack which explains some of the technical details behind these attacks and also has another list of domains serving up malware which is useful to keep an eye on.

Asprox: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com

Another bunch of domains coming up in the latest batch of Asprox SQL Injection attacks: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com - check your logs for these.

Microsoft Security Advisory (954462) - Rise in SQL Injection Attacks Exploiting Unverified User Data Input

A timely advisory from Microsoft on SQL Injection attacks plus some tools to help secure your setup are available on KB954462 with more information here and ISC's commentary here.

Of particular interest is the free Scrawlr tool available from HP. That could be a useful way to see if your server is vulnerable before the bad guys find it,

ISC: SQL Injection mitigation in ASP

If you're trying to secure your SQL server against the latest round of injection attacks, then check out this item from the Internet Storm Center, which gives some pointers on how to secure you database with ASP.

It probably makes much more sense to an SQL development than to me.. but the important point is that just cleaning up the injection attack is not enough - you also need to prevent it from happening again by securing your SQL server. And I'm afraid that probably involves spending some time and money..

SQL Injection: bnradw.com

Another SQL Injection domain to block or watch out for in your logs - bnradw.com.

Other than that, the bad guys seem to have been quiet for a couple of days, however it does look like they've managed to exploit 3 million or so pages (according to Yahoo!) so it could just be that they are very busy.

List of SQL Injection domains

My postings here about SQL injected domains are a bit ad-hoc, but Shadowserver also have a pretty up-to-date list if you're looking at blocking them.

Quite a lot of these domains are .cn (China). You might want to consider completely blocking access to .cn, but if you only have basic filtering then you might find yourself blocking things like www.cnn.com too (that took some diagnosing followed by a "d'oh!).

SQL injection: pingadw.com, alzhead.com, pingbnr.com, coldwop.com, adwbnr.com, bnrcntrl.com, chinabnr.com

More SQL Injection domains, this time pingadw.com, alzhead.com