Mozilla blocks rogue add-on that made computers scan sites for flaws

A singular new botnet composed of over 12,500 infected computers has been used by its masters to effectively crowdsource the search for websites vulnerable to SQL injection attacks.

As explained by Brian Krebs, these computers have been roped into scanning almost every website their users visited, and they were made to do so by a malicious Mozilla Firefox add-on named Microsoft .NET Framework Assistant.

It is still unknown how the computers were initially compromised and the users made to download and use the rogue add-on. It’s possible that the malware came bundled with other downloaded software, or that users were tricked into downloading the plugin.

What is known is that the malicious plugin has been spotted for the first time in May 2013, and that means that the botnet – dubbed “Advanced Power” by its creators – has been operating for the last six months at least.

A peek into the botnet’s admin panel revealed that it has discovered over 1,800 websites vulnerable to SQL injections. This information was probably used to mount attacks against the websites in order to either exfiltrate the information stored in their databases or to inject them with code that would trigger drive-by malware attacks.

It’s interesting to note that the malicious add-on also has the ability to steal sensitive information from the infected computer, but that it hasn’t been made to do so.

Alex Holden, CISO at Hold Security, analysed the malware and discovered a few transliterated text strings that Google Translate auto-detected as Czech, making him believe that the botmasters might be Czech nationals or simply living in the Czech Republic and familiar with the language.

The botnet, according to him, was obviously created to automate the boring and time-consuming task of probing websites for SQL vulnerabilities, in what should be considered as a “deep and innovative approach.”

Several hours after the existence of the botnet was made public, Mozilla has announced that it has disabled the malicious add-on by adding it to its block list.

“Microsoft .NET Framework Assistant (malware) has been blocked for your protection,” the notice seen by the affected users said.

“This is not the Microsoft .NET Framework Assistant created and distributed by Microsoft. It is a malicious extension that is distributed under the same name to trick users into installing it, and turns users into a botnet that conducts SQL injection attacks on visited websites,” it added.

Firefox checks the block list once a day, and affected users are not required to do anything to make the problem go away. “The problematic add-on or plugin will be automatically disabled and no longer usable,” Mozilla explained.