Mozilla blocked a new botnet consisting of 12,500 computers crowdsourcing a search for websites vulnerable to SQL injection attacks.
These computers are scanning almost every website their users visited, and they were made to do so by a malicious Mozilla Firefox add-on named Microsoft .NET Framework Assistant, according to security researcher Brian Krebs.
It remains unclear how the computers initially suffered compromise and the users ended up downloading and using the rogue add-on. It’s possible the malware came bundled with other downloaded software, or users ended up tricked into downloading the plugin.
The malicious plugin first hit the street in May, and that means the botnet, called “Advanced Power” by its creators, has been operating for the last six months.
A peek into the botnet’s admin panel revealed it discovered over 1,800 websites vulnerable to SQL injections. While there are no details, the information gathered could have seen use to mount attacks against the websites in order to steal the information stored in their databases or to inject them with code that would trigger drive-by malware attacks.
The malicious add-on also can steal sensitive information from the infected computer, but it does not.
Alex Holden, CISO at Hold Security, analyzed the malware and found text strings that Google Translate auto-detected as Czech, making him believe the botmasters might be Czech nationals or simply living in the Czech Republic and familiar with the language.
The idea behind the botnet was to automate the boring and time-consuming task of probing websites for SQL vulnerabilities.
Several hours after the existence of the botnet became public, Mozilla disabled the malicious add-on by adding it to its block list.