Mozilla Blocks Botnet Add-on

Wednesday, December 18, 2013 @ 02:12 PM gHale

Mozilla blocked a new botnet consisting of 12,500 computers crowdsourcing a search for websites vulnerable to SQL injection attacks.

These computers are scanning almost every website their users visited, and they were made to do so by a malicious Mozilla Firefox add-on named Microsoft .NET Framework Assistant, according to security researcher Brian Krebs.

Mobile Botnet a Busy Application
Despite Arrest, RAT Usage Grows
Global Effort to Bring Botnet Down
Botnets Hike Usage of Google Cloud

It remains unclear how the computers initially suffered compromise and the users ended up downloading and using the rogue add-on. It’s possible the malware came bundled with other downloaded software, or users ended up tricked into downloading the plugin.

The malicious plugin first hit the street in May, and that means the botnet, called “Advanced Power” by its creators, has been operating for the last six months.

A peek into the botnet’s admin panel revealed it discovered over 1,800 websites vulnerable to SQL injections. While there are no details, the information gathered could have seen use to mount attacks against the websites in order to steal the information stored in their databases or to inject them with code that would trigger drive-by malware attacks.

The malicious add-on also can steal sensitive information from the infected computer, but it does not.

Alex Holden, CISO at Hold Security, analyzed the malware and found text strings that Google Translate auto-detected as Czech, making him believe the botmasters might be Czech nationals or simply living in the Czech Republic and familiar with the language.

The idea behind the botnet was to automate the boring and time-consuming task of probing websites for SQL vulnerabilities.

Several hours after the existence of the botnet became public, Mozilla disabled the malicious add-on by adding it to its block list.

Leave a Reply

You must be logged in to post a comment.