Malware Booming 2008 - Now From China

asprox spreading

While at last year malware came mostly from Rusia, this year most malware hosted on Chinese websites. Probably this because China's economy getting a lot better this year which increase computer owners. And now, not only untrusted sites that can give danger to your computer, but also trusted ones.

The most common intrusion is iframe SQL Injection that had infected up to 50.000 websites according to US-CERT and McAffee Avert Labs.Sophos detected 16,173 malicious webpages generated everyday in the first half of year 2008, which means one malware injected every five seconds. This rate is three times bigger than last year. Worst than that, these websites are legit, which usually we visit without aware such as news website, education, friend's blog, to government websites.

How The Malware Works

The cracker usually program Asprox toolkit to search Google for vulnerable php or asp webpages. Asprox itself isn't a virus, it is a tool designed to make automated processes in hidden proxy. Once Asprox identified vulnerable websites, it will launch SQL Injection that set iFrame with malicious java script. By taking advantage of ActiveX control, this script will download a trojan horse varian without user consent, which the last version is named TROJ_AGENT_KAQ by TrendMicro or JS/Downloader.Agent by AVG Security Toolbar.

When your computer is unused, this trojan horse did nothing. But when Internet Explorer launched and making POST request with password field (example, entering internet banking account), this trojan will take your password and send it to a server in China. Last time the server recognized as 51.188.39.175 port 2034. This trojan horse only take a password if there is tag input type="password".

Money Farm for some Chinese?

SANS Internet Center discover the tool one of the malware host website. This tool is written in Chinese and running a script named pay.asp and asking a serial number for verification. SANS suspect the attackers acquire money from their actions. Moreover, China servers used for all attacks, same SQL Injection and CAST statement used, most contact info of malware host websites is ji nan shi hua yuan lu 189 hao li xia yuan jian yuan 2 jia 2 ceng. and the last trojan selectively ignores browsers from Russia, Ukraine, China, Korea, Vietnam and India.


Exploit Module finding vulnerable .asp from Google

Solution
Don't use a browser that have ActiveX feature is a must, even better if you block java script with a program or latest version of Mozilla Firefox.

For webmaster, use IDS (Intrusion Detection System) to check if statement CAST which similar with "DECLARE%20@S%20NVARCHAR(4000);SET%20@S=CAST" executed in webserver. Webmaster also should repair and update SQL vector to avoid another attack. Use API data to prevent usage of dynamic SQL, which still insecure.

Although Amethyst Orchard hasn't try it, http://infosec20.blogspot.com/ provide ASPROX toolkit for cleaning database and URL scan.

©Amethyst Orchard 2004 - 2009.