Attackers have been automating SQL injection attacks for a number of years, but in a fairly new twist, a botnet masquerading as a Firefox browser add-on is carrying out attacks on sites visited by compromised computers.
Krebs on Security reported today that the Advanced Power botnet has been operational since May and has infected 12,500 victims and targeted close to 2,000 websites.
Alex Holden, CEO of Hold Security LLC who assisted blogger Brian Krebs with the investigation, told Threatpost this is the first time he’s seen a botnet automate SQL injection attacks; other known infections have automated searches for vulnerable websites, for example.
“We don’t have any evidence of actual theft. All these guys are doing through the botnet is finding SQL vulnerabilities,” Holden said. “I would assume the bad guys are looking at logs and figuring out which sites are vulnerable versus false positives, and they go through this and exploit the sites themselves.”
Holden and Krebs are unsure how victims are initially compromised, but the bots are spread via phony add-on called Microsoft .NET Framework Assistant, which is very different from a legitimate add-on of the same name.
Krebs wrote the malware is using compromised Windows machines as a scanning platform for websites vulnerable to SQL injection attacks. The botnet automates this probing, which is generally a time-consuming manual process. Holden said that a penetration tester, for example, would normally test the open variables on a website with any number of benign SQL statements, something this botnet is doing on a much larger scale.
“SQL statements by themselves to a normal application would look like garbage. However if they get interpreted by a SQL server, we can see some of the results coming back,” Holden said in explaining the process. “The key for programmers is to never allow end users to interact directly with the SQL server. That’s the problem with SQL injection because once you can interact with the SQL server you can ask anything the server has to come back to you.”
In this case, Holden said, the attackers have programmed in SQL command that asks for a five-second delay before returning data.
“For the bad guy, it is an indicator,” Holden said. “Because it’s structured for SQL injection, it would introduce the right input and output. If you see a five-second delay, the bad guys know the SQL server is executing the command and not the application itself.”
Holden said the 1,800 sites vulnerable to SQL injection found by the botnet don’t have a typical profile, and range in size and focus. As visitors infected with the add-on malware surf from site the site, the malware in the background is conducting tests to determine if there is an exploitable vulnerability present. Krebs said, also, that there is a password-grabber in the malicious code, but it has not been activated. The malware, he added, has been analyzed by malwr and VirusTotal.
“Ultimately the bad guys have a road map,” Holden said. “Instead of scanning the whole Internet, they have 1,800 targets presented to them in an easy way.”