Asprox botnet now equipped with SQL injection tool
SecureWorks report that the Asprox botnet is being updated with a binary called
msscntr32.exe. This turns out to be an automated SQL injection tool. Masquerading as a "Microsoft Security Center Extension", the tool searches Google for flaws in
direct84.com, a domain with a very questionable Whois record registered on May 7 2008, containing the details
Name: norman Company: zevs Address: gellion 13-13 City: Error State: 3562 Country: AU Zip: 123456 Tel No: 749 7983456 Fax No: Email: firstname.lastname@example.org
which, however, genuinely appears to have been registered from Australia, as "gellion" is a little-known street name in Roxburgh Park, Melbourne.
The link ultimately redirects to a server that, according to the report, attempts to propagate Danmec, Asprox and the SQL injection tool. SecureWorks noted that only Asprox is capable of propagating the malware. The target server was down when tested by SecureWorks.