Internet Security Systems - AlertCon(TM)

Conficker SQL Injection connection or coincidence?

Posted by Jennifer Szkatulski, John Kuhn, and Ryan McNulty on June 08, 2009 at 1:16 PM EDT.

Even though the would-be juggernaut called Conficker has left us a bit underwhelmed, perhaps we shouldn’t count it out just yet.  Conficker may actually have some tricks up its sleeve.  Once the Conficker hype settled down, it became clear that the elaborate botnet was assembled to simply make money.  Initial reports stated that the botnet was used to install the trojan/worm Waledac, scareware and fake antivirus software.  All of these updates generate revenue for the botmaster of Conficker, through pay per install or “leasing” the botnet to other criminals.  It was baffling to some why the botnet that could have been so much more resulted in such payloads.  While effective and profitable, we just expected more drama.  More intrigue.  More of the ingenuity we saw in the sophistication, encryption, and technology used to create and spread Conficker itself.  Among the theories bandied about, researchers speculated that Conficker would be responsible for cyberwarfare, mass identity theft, DDoS, the creation of Skynet, and the end of life as we know it.  As time passed, however, no evidence of this has surfaced.  Although I have heard that Conficker is responsible for bringing “I’m a Celebrity…Get Me Out of Here!” to our television sets.

Thanks to the work of Mark Yason of X-Force, we are able to see a very in depth view of Conficker, from its many random probes looking for peers, to its executable data transfers.  We see and track thousands of nodes from the botnet, and look at any deviation or surrounding attacks that accompany them.  Here in the ISS/MSS Security Operations Center, our massive reach across the globe allows us a very unique opportunity to view traffic traversing the Internet and to detect emerging trends.  Recently, an interesting trend began to appear that included our old friend Conficker. 

The trend we started to see was SQL injection sourcing from the same Conficker infected peers.  The SQL statement involved is typically associated with the user-agent string “NV32ts” often referred to as the NV32ts botnet.  Currently the string includes slight variations on the following:

999999 And char(124)+(Select Cast(Count(1) as varchar(8000))+char(124) From [sysobjects] Where 1=1)>0

It appears that the attackers are simply performing reconnaissance on the web/sql database for possible direct targeted attacks. 

Is Conficker being used to perform SQL injection attacks or distribute the NV32ts bot? As of yet, we don't know for sure. Unpatched, unprotected hosts out on the Internet can naturally get infected with multiple botnets at the same time. Also, NAT devices make multiple hosts appear from the same source address. However, there have been reports of cases in which limited numbers of Conficker infected nodes have been updated with other common malware, such as Waldec. So there is a possibility that a connection exists. We will continue to trend the issue and monitor any deviation, or influx in hosts sourcing the malicious SQL. 

At its height, estimates credited over 9 million infections to Conficker.  With the infection numbers far lower now, it is easy to forget how much damage Conficker could cause.  However, that would be a mistake.  Conficker and other botnets have the potential to be sleeping giants.  Botmasters are in control and can always change their payloads.  What may be executing fake antivirus software today may be executing the newest 0-day exploit tomorrow.  We must never become complacent when it comes to botnets.  They are a rapidly growing trend and awareness of their existence in your network should be a raised priority for every administrator.  At any given point, they may change their directive and become what we fear.

6/8/2009: Updated contributors.

6/8/2009: Coinfection clarification.

Comments or opinions expressed on this Weblog are the opinions of the authors alone. They are not necessarily reviewed in advance by anyone but the individual authors, and neither IBM Internet Security Systems nor any other party necessarily agrees with them. The views expressed by outside contributors and links to outside websites do not represent the views of IBM Internet Security Systems, its management or employees. All content on this Weblog has been made available on an “as-is” basis, and IBM Internet Security Systems shall not be liable for any direct or indirect damages arising out of use of this Weblog.