Threat Level: green Handler on Duty: Xavier Mertens

SANS ISC: InfoSec Handlers Diary Blog - Cleanup in isle 3 please. Asprox lying around InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Cleanup in isle 3 please. Asprox lying around

Published: 2008-08-07
Last Updated: 2008-08-07 14:43:56 UTC
by Mark Hofman (Version: 1)
0 comment(s)

Whilst looking for something completely different I came across our old friend ASPROX See previous diary  from Marc

It seems that a lot of the domains used by this are still or again active.  Typically using fast flux.   The script that is being injected tends to be ngg.js, fgg.js, b.js or js.js.  This links to an IP address (still up) where a CGI script starts the road of pain.

Doing a quick search using our friend Google I ended up with 1,470,000 sites that are currently infected.  Now about 591,000 or so are b.js which seems to point to inactive domains so these are unlikely to do damage.  The rest is a mixture of active and inactive links. 

The high number of infected sites points to a couple of issues. 

  1. Sites are compromised and nobody notices
  2. Sites that are infected are not cleaned up.

Now the number of infected sites is high, but the sky is not falling, however if you have a spare few minutes do the following google search replacing yoursite  with your domain, e.g. sans.org (just cut and paste the whole search).

   site:yoursite    "script src=http://*/""ngg.js"|"js.js"|"b.js"

If the search returns results, you have some cleaning to do.

I did a quick breakdown of infected sites:

.gov       - 238                  .com      - 474K
.gov.au  - 927                  .org        - 79.9K
.gov.uk  - 2,930               .com.au  - 19.5K
.gov.cn  - 34K                  .co.uk    - 19.3K
.gov.za  - 424                  .ca         -  13.1K
.gov.br  - 263

I'll let you know next week if things are getting better or worse.

Happy cleaning.

Mark



 

Keywords:
0 comment(s)
Diary Archives