Over 12,500 computers have already been infected

Dec 16, 2013 09:07 GMT  ·  By

Security experts have come across an interesting botnet dubbed by its operators “Advanced Power.” The goal of this botnet is to identify SQL injection vulnerabilities on the websites visited by users whose computers have been infected (turned into zombies).

According to Brian Krebs, over 12,500 computers have already been infected. The bots have helped cybercriminals identify at least 1,800 websites vulnerable to SQL Injection attacks.

The malware is apparently distributed as a rogue Mozilla Firefox add-on called Microsoft .NET Framework Assistant. It’s worth noting that “Microsoft .NET Framework Assistant” is a genuine add-on developed by Microsoft. The attackers are simply leveraging the name of the real extension.

Once they determine which websites are vulnerable to SQL Injection attacks, the cybercriminals can abuse them for various purposes, including drive-by attacks or to steal the information stored in their databases.

At this point, it’s uncertain how the rogue add-on is being distributed, but once it infects a computer, it makes sure almost every page visited by the victim is tested for vulnerabilities.

Alex Holden of Hold Security LLC has analyzed the threat and believes that it might be developed by individuals from the Czech Republic.

The expert says that the method they’re using is “deep and innovative.”

“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality. You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right,” Holden told Krebs.

“In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”

Update. Mozilla has disabled the rogue add-on.