Wednesday, June 30, 2010

From Russia with love - asprox

Tonight i found in my RSS reader that a large amount of websites (some very popular ones in Belgium) are infected with ru/js.js.

It appears that this would come from a trojan call asprox. Originally it was spreading through spam via the Pushdo botnet but the attack vector seemed to have changed.

The new attack vector was possible thanks to SQL Injection. Rondel Mendez wrote an excellent piece about it for M86 security. It explains what de malware does.

The syscolumns xtypes it abuses are, 35 which is text, 99 which is ntext, 167 which is varchar, and 231 which is sysname. As you can see all of which can contain a string which in this case is a url to the botnet.

How to solve this? Simple fix your code, never trust user input, normalize it and check it if the values are acceptable.

No comments: