Comments on: New Botnet Malware Spreading SQL Injection Attack Tool

By: Bogwitch

Bogwitch — Tue, 20 May 2008 19:05:34 +0000

1337ullus,

Thanks for clarifying that for me. interesting problem.

By: 1337ullus

1337ullus — Tue, 20 May 2008 16:48:21 +0000

@Bogwitch
No bug to patch in the FTP issue, here is the story:

Afaik, our customers got infected. The botnet agent either sniff ftp user/pass from network or use well known ftp client config file (filezilla), and send the FTP account to the botnet.

The botnet then connect with the stolen FTP account and modify specific files (index, js, …) to inject javascripts (trojan downloader).

New customers get infected while browsing infected websites and botnet life goes on.

I agree that solution to FTP problem is not to use FTP anymore.
BUT we got thousands customers accustomed to use FTP with their favorite FTP Client. Then MS secured ftp is … inexistant.
Also we did change FTP user/pass, but it’s useless as long as customers are infected.

We also setted blacklists on attackers ip classes, but as fast as it goes, we’ll be blacklisting the whole internet next week.

The FTP authpf bridge was setted up last week, then the SQL Injection attack stroke. I’ll give you stats of my bridge later.

By: Jinesh

Jinesh — Mon, 19 May 2008 13:42:21 +0000

These botnets are scarry. One which i had on my machine used to upload files on torrent. weird huh!!!

By: Bogwitch

Bogwitch — Mon, 19 May 2008 11:54:59 +0000

@1337ullus,

“We’ve been and are still beeing attacked by Storm, that is (re)injecting ftp sites every friday or so.”

I have to ask, how is Storm (re)injecting your ftp sites? It suggest to me that you may have patch issues that need to be resolved. As for your authpf bridge, is that not a kludge?

Please correct me if I am wrong!

By: 1337ullus

1337ullus — Mon, 19 May 2008 09:02:51 +0000

Look like the injection code use an open source librairy from http://www.indyproject.org/.

Last week-end attack queries contained : “User-agent: Mozilla/3.0 (compatible; Indy Library).”

By: zupakomputer

zupakomputer — Fri, 16 May 2008 16:05:50 +0000

That’s what happens though, when anything gets complicated (like webpage coding, and database coding) then it becomes a haven for being able to hide all kinds of activity in.

And personally, I really think that the over-complicated coding is pushed for exactly those reasons. Same way they do that in the law and in any kinds of bureacracies, it’s ordered in such a way that no-one can ever know all of it, and there’s loads of avenues to exploit things through.

Keep things simple and straightforward, and it’s easy to see who’s doing what and where they are doing it.

By: 1337ullus

1337ullus — Fri, 16 May 2008 07:13:26 +0000

Actually, it’s real pain to get protected against the botnets. We’ve been and are still beeing attacked by Storm, that is (re)injecting ftp sites every friday or so. The sql injection ome stroke once on may 1st..

We built an authpf bridge that let you ftp in only if you connected your website first. Hope it’ll stop Storm for a while.
As for the sql injections, we had to fix a lot of scripts…

I wonder if there are dnsbl that report botnet infected hosts ..

By: eM3rC

eM3rC — Fri, 16 May 2008 00:01:33 +0000

When I first found out about botnets I though it was an amazing concept.

Not that their being used to distribute files a whole new market of exploiting has just opened. I wonder what the next step is.