Asprox domains: 2/8/07

These are the currently active Asprox domains to check for. They are all very recently registrations.

• 8hcs.ru
• 98hs.ru
• bgsr.ru
• bywd.ru
• ibse.ru
• ncbw.ru
• nwj4.ru
• ojns.ru
• porv.ru
• uhwc.ru

The SQL Injection war

Dancho Danchev had has some very good writeups on the current round of SQL injection attacks. This post on copycat attacks caught my eye, because it shows that there's more than one crew at work here.

If anything, this situation is likely to get worse. The tools needed to carry out a SQL injection attack are now almost available off-the-shelf, the attacks are obviously financially successful because they have been ongoing now for some months, and enumeration of vulnerable servers can be done through Google or Yahoo if you don't want to bother crawling the web.

Identifying and blocking domains helps, but it isn't a real solution. Most of these attacks are thwarted by a fully patch client (and I do mean all the software on the client, the Secunia Software Inspector can help here or some other decent audit tool). Using Firefox + NoScript is a good idea for the technically savvy. But ultimately, the best way of fighting this is to secure or shut down infected SQL servers. Don't be afraid to use the abuse@ email address where a web site is posing a continuing threat.

Asprox domains: 29/7/08

These are this morning's active Asprox domains. New ones are in bold.

• b4so.ru
• bce8.ru
• bjxt.ru
• bnsr.ru
• bosf.ru
• bsko.ru
• ch35.ru
• gty5.ru
• iroe.ru
• jve4.ru
• kj5s.ru
• kjwd.ru
• kpo3.ru
• kr92.ru
• ncb2.ru
• ncwc.ru
• nemr.ru
• njep.ru
• nmr43.ru
• oics.ru
• pfd2.ru
• po4c.ru

Asprox domains: 28/7/08

These seem to be the current Asprox domains to block or check for. New ones are in bold.

• bs04.ru
• bce8.ru
• bjxt.ru
• bnsr.ru
• bosf.ru
• bsko.ru
• ch35.ru
• iroe.ru
• jve4.ru
• kjwd.ru
• kodj.ru
• kpo3.ru
• kr92.ru
• ncb2.ru
• ncwc.ru
• nemr.ru
• nmr43.ru
• oics.ru
• pfd2.ru
• po4c.ru

ngg.js still seems to be the name of the javascript file injected into compromised hosts.

Asprox domains: 25/7/08

These domains seem to be active today, new ones in bold.

• bce8.ru
• ch35.ru
• iroe.ru
• jve4.ru
• kjwd.ru
• kodj.ru
• kpo3.ru
• kr92.ru
• ncwc.ru
• nemr.ru
• nmr43.ru
• pfd2.ru
• po4c.ru

One oddity - the URL zvz.cc/forums/8L0/join.upq has been spotted as a redirector for these Javascript exploits. Google list zvz.cc that as a malware infected site, it is hard to tell though if this is just another victim or part of the C&C for the botnet. For the record, these are the WHOIS details.. but they might not mean very much.

Registration Service Provided By: ESTDOMAINS INC
Contact: +1.3027224217
Website: http://www.estdomains.com

Domain Name: ZVZ.CC

Registrant:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Creation Date: 09-Apr-2008
Expiration Date: 09-Apr-2009

Domain servers in listed order:
ns2.zvz.cc
ns1.zvz.cc

Administrative Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Technical Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Billing Contact:
Himpet .Inc
Evgenij Novoberkov (zvz@tut.by)
Stahanov.St 120
Minsk
Missouri,222120
US
Tel. +022.2720771

Status:ACTIVE

Asprox: jve4.ru, nmr43.ru and po4c.ru

Three new Asprox domains that have gone live in the past few hours, probably some more on the way. Either block these or check your logs if you are a network admin.

• jve4.ru
• nmr43.ru
• po4c.ru

Asprox domains: 23/7/08 - Part II

Just a couple more to add:

• cgt4.ru
• kc43.ru

Asprox domains: 23/7/08

A shift in domains used by the Asprox crew - these new domains are all in the .ru TLD and are registered via NauNet (contact details here). ngg.js is still the name of the Javascript file to look for, I suspect that vrcgoo.js might be a new name to keep an eye out for too.

• 4cnw.ru
• 4vrs.ru
• 5kc3.ru
• 90mc.ru
• 9jsr.ru
• bts5.ru
• chds.ru
• cvsr.ru
• d5sg.ru
• ecx2.ru
• gb53.ru
• h23f.ru
• jex5.ru
• jvke.ru
• keec.ru
• keje.ru
• kgj3.ru
• lkc2.ru
• lksr.ru

For most organisations, blocking the entire .ru TLD will probably do no harm as these are usually always Russian language sites.

Asprox domains: 16/7/08

The following Asprox SQL Injection domains appear to be active today. New ones are in bold.

• adwnetw.com
• adpzo.com
• ausbnr.com
• brcporb.ru
• btoperc.ru
• cdport.eu
• cdrpoex.com
• gbradde.tk
• grtsel.ru
• korfd.ru
• movaddw.com
• tctcow.com
• usabnr.com

ngg.js still seems to be the name of the script file. Block these sites and/or check your logs.

Asprox domains: 15/7/08

Another bunch of Asprox SQL Injection domains, new ones are in bold.

• adpzo.com
• adwnetw.com
• ausbnr.com
• bkpadd.mobi
• butdrv.com
• cdport.eu
• cdrpoex.com
• cliprts.com
• gbradde.tk
• gbradp.com
• gitporg.com
• hdrcom.com
• loopadd.com
• movaddw.com
• nopcls.com
• porttw.mobi
• pyttco.com
• tctcow.com
• tertad.mobi
• usabnr.com

These are still using ngg.js in the injected code.

Asprox domains: 10/7/08

These seem to be the currently active Asprox SQL Injection domains to block or check for. New ones are in bold.

• adwnetw.com
• ausadd.com
• ausbnr.com
• bnsdrv.com
• butdrv.com
• cdrpoex.com
• crtbond.com
• destad.mobi
  
• destbnp.com
• drvadw.com
• gbradw.com
• loopadd.com
• movaddw.com
• nopcls.com
• porttw.mobi
• pyttco.com
  
• tertad.mobi
  
• usaadw.com
• usabnr.com

No prizes for guessing that Vivids Media GmbH handled the registrations.

Two more new ones as well:

• bkpadd.mobi
• tctcow.com

Asprox domains: 9/7/08

Another shift in the Asprox SQL Injection domains, still registered with Vivids Media GmbH. As ever, check your logs or block them.

• adwnetw.com
• ausadd.com
• ausbnr.com
• bnsdrv.com
• butdrv.com
• cdrpoex.com
• cliprts.com
• crtbond.com
• destbnp.com
• drvadw.com
• gbradp.com
• gbradw.com
• hdrcom.com
• loopadd.com
• movaddw.com
• nopcls.com
• tctcow.com
• usaadp.com
• usaadw.com
• usabnr.com

Who are Vivids Media GmbH?

If you have been tracking the latest round of SQL Injection domains, then you might be familiar with the name Vivids Media GMBH as being the current registrar of choice.

The odd thing is that Vivids Media GmbH doesn't appear to have a web site or any traceable contact details. However, most of the domain registrations have a contact telephone number in Berlin of +49.3094413291 and some searching around gives this page with what looks like the correct contact details of:

Name: Vivids Media GmbH
Email Address: support@klikdomains.com
Address: Leege-Gr str. 41
City: Berlin
Zip: 13055
Country : Germany
Tel No.: +49.3094413291

That indicates that Vivid Media GmbH is related to klikdomains.com and therefore klikvip.com which are part of another company that claims to be in Berlin, Klik Media GmbH (some of the alleged goings on of this company are mentioned here). A short step away from Klik are a whole set of domains registered via Estdomains (a familiar name to many) and things start to get seedy from there.

There's no evidence that Vivid Media GmbH is directly invovled in anything bad - in fact there is barely any evidence that Vivid Media GmbH actually exists at all. Spammers and other bad guys do have a knack of finding registrars who are slow at terminating their accounts, so let's be charitable and say that Vivids Media are just understaffed in their abuse department.

The problem is that if you want to contact Vivids Media, then it seems to be very difficult. Their website is 56823.myorderbox.com which is a sort of white label domain registrar site. Myorderbox.com seems to be based in India, and looks to be a reseller of ResellerClub which in turns registers names through PublicDomainRegistry.com.

Complicated? Well, yes.. but ultimately PublicDomainRegistry.com are the registrar and it turns out that there is some light at the end of the tunnel. You will find that most of the domains used in these SQL Injection attacks have false WHOIS data, and you can report false WHOIS data here. Hopefully then the domain will be suspended.. not that it really matters too much because the bad guys will just register some more.

So the answer to the question "who are Vivids Media GmbH?" is "I don't know" but for most practical puporses you wouldn't need to deal with them if complaining about one of these domains, go to the registrar and report it there.

Asprox domains: 7/7/08 and another SQL Injection mitigation article

Another batch of Asprox domains are active today - it also seems that those from 3rd July are still running too. I advise that you check your logs for these or block them:

• adbtch.com
• aladbnr.com
• allocbn.mobi
• adwadb.mobi
• apidad.com
• appdad.com
• asodbr.com
• asslad.com
• blcadw.com
• blockkd.com
• bnradd.mobi
• bnrbase.com
• bnrbasead.com
• bnrbtch.com
• browsad.com
• brsadd.com
• canclvr.com
• catdbw.mobi
• clrbbd.com
• dbgbron.com
• ktrcom.com
• loctenv.com
• lokriet.com
• mainadt.com
• mainbvd.com
• portadrd.com
• portwbr.com
• stiwdd.com
• ucomddv.com
• upcomd.com

If you're looking at ways of protecting your server against these SQL injection attacks, then Sophos has a blog entry called Avoiding SQL injection attacks which looks like a good starting point.

Asprox domains: 3/7/08 and ngg.js

The Asprox domains used in the current round of SQL Injection attacks have shifted again, the ones to check for or block are:

• adwadb.mobi
• allocbn.mobi
• canclvr.com
• catdbw.mobi
• ktrcom.com
• lokriet.com
• mainbvd.com
• portwbr.com
• stiwdd.com
• testwvr.com
  
• upcomd.com
• ucomddv.com
  

The malicious javascript file has also changed to ngg.js (usually it is b.js or m.js or similar). If you're using Google Alerts or similar to monitor your own site or sites of interest, you might want to change the search string to something like "script src=http:" .js site:oceanic-air.com (replace the domain name with the site you want to monitor).

Asprox domains: 2/7/08

These seem to be the currently active domains used in the Asprox SQL Injection attack. Registrar of choice at the moment is Vivids Media GMBH (if they really exist) via Directi Internet Solutions (publicdomainregistry.com).

• adupd.mobi
• adwste.mobi
• bnrupdate.mobi
• cntrl62.com
• config73.com
• cont67.com
• csl24.com
• debug73.com
• default37.com
• get49.net
• pid72.com
• pid76.net
• web923.com

Best advice to to block access to these sites and check your logs.

Asprox: new domains including .mobi

Another set of domains used in the Asprox SQL Injection attack: bnrupdate.mobi, adwste.mobi, adupd.mobi, hlpgetw.com, hdadwcd.com, rid34.com, adwsupp.com,supbnr.com, suppadw.com, dl251.com, aspx49.com, kadport.com, tid62.com, and batch29.com.

It's the first time that I've seen .mobi used in this way. Blocking access to all .mobi domains will probably do little harm.

Asprox: list of domains and mitigation steps

The folks over at Bloombit Software have a useful article called ASCII Encoded/Binary String Automated SQL Injection Attack which explains some of the technical details behind these attacks and also has another list of domains serving up malware which is useful to keep an eye on.

Asprox: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com

Another bunch of domains coming up in the latest batch of Asprox SQL Injection attacks: app52.com, aspssl63.com, update34.com, appid37.com, asp707.com, westpacsecuresite.com - check your logs for these.

Microsoft Security Advisory (954462) - Rise in SQL Injection Attacks Exploiting Unverified User Data Input

A timely advisory from Microsoft on SQL Injection attacks plus some tools to help secure your setup are available on KB954462 with more information here and ISC's commentary here.

Of particular interest is the free Scrawlr tool available from HP. That could be a useful way to see if your server is vulnerable before the bad guys find it,