Asprox botnet now equipped with SQL injection tool

SecureWorks report that the Asprox botnet is being updated with a binary called msscntr32.exe. This turns out to be an automated SQL injection tool. Masquerading as a "Microsoft Security Center Extension", the tool searches Google for flaws in .asp pages and injects an iframe into the pages that forces visitors to download malicious JavaScript from direct84.com, a domain with a very questionable Whois record registered on May 7 2008, containing the details

Advertisement

Name: norman Company: zevs Address: gellion 13-13 City: Error State: 3562 Country: AU Zip: 123456 Tel No: 749 7983456 Fax No: Email: zevsanet@gmail.com

which, however, genuinely appears to have been registered from Australia, as "gellion" is a little-known street name in Roxburgh Park, Melbourne.

The link ultimately redirects to a server that, according to the report, attempts to propagate Danmec, Asprox and the SQL injection tool. SecureWorks noted that only Asprox is capable of propagating the malware. The target server was down when tested by SecureWorks.

(mba)