According to security researcher Brian Krebs, the botnet, which calls itself Advanced Power, conducts SQL injection attacks on virtually any website visited by the victim. These take advantage of weak server configurations to inject malicious code into the database behind the public-facing web server. If successful, “attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases,” he said in an analysis.
SQL injections are extremely popular because of the ability of compromised websites to distribute malware so widely. Imperva noted in a recent report that web applications receive four or more attacks per month, but some websites are constantly under attack – especially retail and e-commerce sites.
A botnet that essentially acts as a distributed, automated scanner for finding those weak configurations is therefore an extremely useful – and efficient – tool to have if you’re a malware pusher. It takes much of the work out of the process and tilts the effort-reward ratio in cybercriminals’ favor.
“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality,” said Alex Holden, chief information security officer at Hold Security, speaking to Krebs. “You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right. In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means is it a full regression test, but it is a deep and innovative approach.”
Advanced Power has been at it since at least May 2013, and is likely being run by people in the Czech Republic, Krebs said. It’s unclear how it’s being initially propagated, but once it’s installed as a legitimate Firefox extension, it goes on to use the Windows machine’s resources to carry out its work. The administrative panel shows that it has discovered at least 1,800 Web pages that are vulnerable to SQL injection attacks so far.
He also found that the malware does include a component designed to steal passwords and other sensitive information from infected machines, but so far that hasn’t been activated on the infected hosts.
“Botnets like this one are a great and classic example of how compromised systems are nearly always used to chip away at the defenses of others online,” Krebs noted. “Interestingly, there is a legitimate add-on for Firefox that can help passively detect SQL injection vulnerabilities on sites you visit.”