An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for security vulnerabilities, an investigation by KrebsOnSecurity has discovered.
The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim.
SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases.
Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites. According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.
The malicious code comes from sources referenced in this Malwr writeup and this Virustotal entry (please don’t go looking for this malware unless you really know what you’re doing). On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant” (this bogus add-on does not appear to be the same thing as this add-on by the same name). The malicious add-on then tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities.
Alex Holden, chief information security officer at Hold Security LLC, said the botnet appears to have been built to automate the tedious and sometimes blind guesswork involved in probing sites for SQL vulnerabilities.
“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality,” Holden said. “You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right. In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”
Holden said he believes the authors of this botnet may be natives of and/or reside in the Czech Republic, noting that a few transliterated text strings in the malware are auto-detected by Google Translate as Czech.
SQL injections are some of the most common Web site attacks partly because these vulnerabilities are extremely widespread. According to a report (PDF) released earlier this year from Web site security firm Imperva (full disclosure: Imperva is an advertiser on this site), while most Web applications receive four or more attack campaigns each month, some Websites are constantly under attack — particularly Web apps at retail sites.
Botnets like this one are a great and classic example of how compromised systems are nearly always used to chip away at the defenses of others online. Interestingly, there is a legitimate add-on for Firefox that can help passively detect SQL injection vulnerabilities on sites you visit. Site owners looking for a free tool to scan their sites for SQL vulnerabilities should check out SQLmap, an open source penetration testing tool.
Update, 6:17 p.m. ET: Mozilla has issued a statement saying that it has “disabled the fraudulent Microsoft .NET Framework Assistant add-on used by the Advanced Power botnet,” by adding the bogus add-on to its block list. Mozilla said Firefox gets a message during a check for blocked add-ons once a day — while the browser is running — and that the block does not require any user actions to take effect.