Articles from : GarWarner
ASProx botnet is back to its old tricks of attacking vulnerable the ASP pages on IIS Servers trying to add a malicious javascript link to legitimate webpages by manipulating the underlying Microsoft SQL servers.
The main site which is hosting the malicious code right now is “ads-t.ru”. Sites which have been hacked by this attack tool will contain a tag which leads to the page “ads-t.ru/ads.js”. A quick Google search for this string will currently reveal more thousands of webpages which have had this code injected.
The Javascript causes an IFRAME to be loaded which causes the following file to be loaded:
adtcp.ru/ad/index.php
That domain was registered on September 29th with the email address omit@blogbuddy.ru
I wasn’t sure if I should try my malware analysis VM 30,000 feet over Wichita Kansas, but I gave it a shot. The index.php file downloads a hostile Flash Player file:
/ad/spl/files/8628468724.swf
That file is only 797 bytes. VirusTotal has 1 of 41 detects for it, with Symantec calling it “Bloodhound.Exploit.266″. The MD5 is 148a8c05fb0b63f036f024e2104a6e4c
The index.php files also causes a malicious PDF file to be downloaded. When the PDF file is opened by an older version of Adobe Reader, the computer becomes infected with one of the “scareware” fake Anti-virus products.
The domain names involved in this scam are all Fast Flux hosted, meaning that machines belonging to a botnet are used to resolve the website addresses. The traffic is then proxied from those IP addresses to the “real” criminal server.
Popularity: 33% [?]
