Threat Level: green Handler on Duty: Brad Duncan

SANS ISC: What Happened to You, Asprox Botnet? - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
What Happened to You, Asprox Botnet?

Earlier this year, @Techhelplistcom reported the spam and landing site infrastructure used to spread Asprox malware switched to porn-related URLs [1]. This started back in mid-January 2015, and I still haven't seen much about it in the open press. Since then, this infrastructure has continued spreading links to pornography or diet-related scams [2] [3].

We’re still seeing the malicious emails with the same type of subject lines, but these typically have a zip file attachment with a javascript file inside (.js). The image below contains an example of the malicious spam I've seen with fake toll road debt subject lines. These all have the zip attachments of .js files. This spam is Asprox-like in subject matter, but the malware is different than what we’ve previously seen with Asprox botnet. I've asked a few other people about this.  From what I can tell, no one yet seems to believe these new emails are from the Asrpox botnet.

What happened to you, Asprox botnet? Are you only spreading spam, now?

The Asprox botnet first emerged in 2007 [4]. This botnet sent a large amount of spam over the years, including malicious spam (malspam) containing malware designed to infect a user's computer, making it part of the Asprox botnet.

This malspam had malicious zip file attachments, or it had links pointing to compromised servers hosting the malware.  


Shown above: an Asprox botnet email with a malware attachment.


Shown above: an Asprox botnet email with a link to the malware.

Sites like techhelplist.com have plenty of examples of Asprox emails [5]. In the absence of anything interesting, I could always find an email from the Asprox botnet and analyze some familiar malware. That’s not the case now. This seems to be the end of an era, at least for the malware spam [6].

I’ve included some images below from the Asprox botnet emails I've collected over the past few months. Consider this an “Asprox botnet greatest hits” collection. Like many greatest hits compilations, I'm sure people will find their favorites missing from this collection.  Feel free to share any stories you have about these Asrpox emails.

---

Brad Duncan, Security Researcher at Rackspace
Blog: www.malware-traffic-analysis.net - Twitter: @malware_traffic

References:

[1] https://twitter.com/Techhelplistcom/status/558085217907638272
[2] https://twitter.com/Techhelplistcom/status/562997176729874432
[3] https://twitter.com/Techhelplistcom/status/570428997043032064
[4] http://www.trendmicro.com/media/wp/asprox-reborn-whitepaper-en.pdf
[5] https://techhelplist.com/index.php/component/tags/tag/11-asprox
[6] https://twitter.com/herrcore/status/573329942294884352

Brad

266 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!