Author: Joe Stewart

Joe Stewart Date: May 13, 2008





Danmec is a password-stealing trojan which has been around for a couple of years, but in the last year new components have been introduced by the author, turning it into a more complete crimeware family. One of these components (developed last year) is the Asprox trojan, which is designed to create a spam botnet which appears to be solely dedicated to sending phishing emails. As of yesterday, we observed the Asprox botnet pushing an update to the infected systems, a binary with the filename msscntr32.exe. The executable is installed as a system service with the name "Microsoft Security Center Extension", but in reality it is a SQL-injection attack tool.

When launched, the attack tool will search Google for .asp pages which contain various terms, and will then launch SQL injection attacks against the websites returned by the search. The attack is designed to inject an iframe into the website source which will force visitors to download a javascript file from the domain direct84.com. This file in turn redirects to another site, where additional malicious javascript can be found. Currently the secondary site appears to be down, however it is likely that when successful, the site attempts to exploit the visitor's web browser in order to install additional copies of either Danmec, Asprox and/or the SQL attack tool.

Because the tool is distributed by the botnet, it may appear to be worm-like in its operation, which may lead to conflicting reports in the media and blogs about the true nature of the attack. However, the SQL attack tool does not spread on its own, it relies on the Asprox botnet in order to propagate to new hosts. Additionally, a similar attack technique is currently being seen spreading game-password-stealing trojans from China. Whether the tool is related or just the attack syntax is shared, it is clear that SQL injection attack activity is on the rise from multiple sources.

The initial HTTP requests used by the msscntr32.exe attack tool will appear similar to the following:

GET /page.asp?id=425;DECLARE%20@S%20NVARCHAR(4000);SET%20 @S=CAST(0x4400450043004C004100520045002000400054002000760061007200630 0680061007200280032003500350029002C00400043002000760061007200630068006 10072002800320035003500290020004400450043004C00410052004500200www.example.com HTTP/1.1

Accept: text/html, application/xml;q=0.9, application/xhtml+xml,

*/*;q=0.1 Accept-Language: en-gb Accept-Encoding: deflate User-Agent: Mozilla/5.0 (Windows NT 5.1; U; en; rv:1.8.0) Gecko/20060728 Firefox/1.5.0 Opera 9.25 Host: www.example.com Connection: Close

Note the use of both Firefox and Opera in the User-Agent string. This could be an effective means to block the attack in the short term, since User-Agent ACLs are built in to most modern webservers. However, this is not likely to stay constant.

VirusTotal shows sparse detection by AV vendors at this time, but detection should improve in the coming days.

The following Snort signatures could be used to reliably detect spam coming into an MTA from an Asprox bot:

alert tcp any any -> any 25 (msg:"Asprox-style Message ID"; flags:A+; dsize:<80; content:"Message-ID|3a20|"; depth:12; content:"|0d0a|"; within: 68; flowbits:set,asproxmessageid; flowbits:noalert; http://www.secureworks.com/research/threats/danmecasprox sid:1001290; rev:1;) alert tcp any any -> any 25 (msg:"Asprox phishing email detected"; flags:A+; content:"From|3a20|"; depth:6; content:

"|0d0a|Bcc|3a20|"; within:150; flowbits:isset,asproxmessageid; http://www.secureworks.com/research/threats/danmecasprox sid:1001291; rev:1;)