A Firefox add-on which looks genuine, but is in fact a lure for a botnet, has captured 12,500 computer systems according to security expert Brian Krebs.

It appears that this particular nasty is leveraging the name of a legitimate Firefox add-on called Microsoft .NET Framework Assistant in order to trick users of the popular web browser.

The botnet, known as ‘Advanced Power’, searches every web page visited by the infected systems and attempts to discover vulnerabilities within them.

Those behind Advanced Power have been working on the botnet since at least May of this year (malware analysis service Malwr confirm identification on May 31) said Krebs who believes that at least 1,800 web pages that are susceptible to SQL injection attacks have been discovered so far.

Krebs said of SQL injection attacks:

“SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases.”

Krebs notes, however, that this particular piece of malware does not seem to be stealing sensitive data from infected machines, even though that functionality is indeed present within its coding. Instead it seems the main priority for the botnet, at this time at least, is simply to act as a “distributed scanning platform for finding exploitable sites.” Building up a list of sites known to be vulnerable to SQL injection would certainly have its uses, saving hackers a lot of time that would otherwise be spent on random testing and probing.

Whilst it is unclear who is behind the botnet, or where the operators are located, there is a suggestion that it may have originated in the Czech Republic, or at the least have Czech programmers making up part of the team. Alex Holden, chief information security officer at Hold Security LLC said that some of the text strings within the malware were automatically identified as being Czech in origin by Google Translate.

Holden also said that,

“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality. You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right.

In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”

According to Information Week,  “Kafeine” at the Malware Don’t Need Coffee blog has identified that the Advanced Power botnet has been distributed, in part at least, by the Blackhole exploit kit,

Mozilla has now blocked the add-on, saying, “It is a malicious extension that is distributed under the same name to trick users into installing it, and turns users into a botnet that conducts SQL injection attacks on visited websites.”

Some time after Brian published his post Firefox moved to block the fake add-on, saying that:

“The problematic add-on or plugin will be automatically disabled and no longer usable.

When Mozilla becomes aware of add-ons, plugins, or other third-party software that seriously compromises Firefox security, stability, or performance and meets certain criteria, the software may be blocked from general use.”

About the Author: admin

Let’s Talk

Please leave your contact details and a member of our team will be in touch shortly.