Malware distribution via email is far from dead. While we had a distinctly quiet period from October 2010 to March 2011, our stats show the bot herders are gearing up again with the proportion of spam with malware attachments rising, although still not as high as the peaks we saw mid last year when the Bredolab and Cutwail botnets were in full swing.
Posts Tagged ‘Asprox’
It was probably too good to last. The past few months has been blissfully quiet on the spam front, and in particular, spam with accompanying malware. The chart below shows an unusually quiet period during December and January.
However, over the last week, we have seen the return of two familiar-looking malware spam campaigns.
- Post Express: Package Available
- United Parcel Service: Notification
While these two campaigns have similar themes, the spam originates from different spambots and has quite different payloads.
Ever since the recent take down attempts of the Pushdo and Bredolab botnets, the volume of malicious spam has dropped substantially. But there is still one major player spamming out malicious executables, namely the Asprox spambot. Malicious spam campaigns purporting to be from DHL, Fedex, UPS or USPS have been spammed by the Asprox botnet ever since it resurrected in the mid 2010. These messages contain zip file attachments containing executable files which are almost exclusively the Trojan Sasfis, a downloader bot.
Since CNNIC, China’s domain regulator, introduced stricter rules for domain registration at the end of last year, spammers have moved on to the Russian .ru TLD to register their spam domains. Similar rules that were apparently made effective on April 1st for Russian registrars do not seem to have had the same effect. Every day we see a continuous stream of newly registered .ru domains in spam email. In fact, in the last month one third of all unique domains we have seen in spam have been .ru domains. This is the highest proportion of any TLD, with .com the second highest accounting for just under one third of spammed domains.
Nearly all of these .ru domains are registered though two registrars, Naunet and Reg.ru (also known as NAUNET-REG-RIPN and REGRU-REG-RIPN).
Spammers generally advertise each domain for only a couple of hours and register new ones all the time. In the last month from spam alone we have seen over 4000 .ru domains registered through Naunet. These are hosting a variety of spam web sites including Ultimate replica, Dr Maxman, online casinos, Via grow and Eurosoft software.
We have also seen over 1800 domains registered through Reg.ru in spam over the last month, all of which lead to Canadian pharmacy websites. Reg.ru actually has a feature to register up to 600 domains at once, pretty useful for a spammer:
These spammed web sites are generally non-malicious as in they don’t try to exploit vulnerabilities on the visitor’s machine, although we’re not sure they would be so generous with your credit card details if you were to buy one of their ‘products.’ We have however seen domains registered with both of these registrars used as controllers for the Zeus crimeware kit. And recently, Naunet was used to register domains used as control servers for the Asprox botnet, although these were done on a much smaller scale than the spam domains.
Several anti-spam groups have already pointed out these registrars as the source of Russian spam domains and that these registrars often ignore requests to suspend illegal domains. With domain blacklisting being a popular anti-spam measure, a continuous supply of fresh domains is vital for any spam operation. These sorts of registrars are making the business of spamming that much easier.
Over the past few days, the Asprox botnet has been spamming out a fake FedEx campaign. We noticed this after we saw our old Asprox binaries downloading a new updated “196” version from the bot’s command and control server.
This Asprox update is responsible for spamming this week’s FedEx malicious spam campaign.
The attachment in this spam campaign is a downloader Trojan known by some AV products as Oficla or Sasfis. When run, the Trojan retrieves commands from its control server to download the Asprox spambot binary, that in turn, sends this FedEx spam campaign. Below is an graphical overview of this campaign.
Asprox spam campaigns come and go. A couple of months ago we blogged about a spam campaign where the Asprox binary also launched an SQL injection attack targeting ASP websites. A month after, it stopped and the command and control servers were inaccessible. Now it’s back again using the same C&C domain and seeding a new binary. Since the Asprox bot is capable of updating itself on the infected host, our concern is that the next update may launch another round of SQL injection attacks. We will certainly be monitoring it closely.
Earlier this month, we reported on a new variant of Asprox malware which was being spammed out by the Pushdo botnet. At that time, the Asprox executables we analyzed were purely sending spam. However, a few days after our post, we noticed reports of mass infections of IIS/ASP websites. The nature of these attacks reminded us of SQL injection attacks back in 2008 where Asprox was clearly involved. We suspected that the re-emergence of Asprox and these new mass website infections were not merely a coincidence. Well, this week our suspicions were confirmed when we came across another version of Asprox which started to launch both spam and SQL injection attacks.
As of this writing, there are three fast-flux domains that the bot attempts to contact.
CL63AMGSTART.RU HYPERVMSYS.RU ML63AMGSTART.RU
These domains resolve to Asprox’s control servers, which respond with spam templates, target email addresses, Asprox malware updates, as well as SQL injection attack information and lists of target ASP websites.
When analyzing the new Asprox binary that we pulled from the command and control server, we noticed some interesting clues that show that Asprox is behind the latest SQL injection attacks.
Figure 1: SQL statement in the Asprox malware body used to launch the SQL injection attack. As of this writing this malware had a poor detection rate .
The Asprox bot downloads an encrypted XML file that contains a list of target ASP websites and some other information such as a Google search term to search for more potential targets.
Figure 2: The decrypted XML file which the bot receives. Contains a list of information such as target websites.
When the Asprox bot launches an SQL injection attack, the initial request looks similar to this:
The SQL statement is passed to a target ASP website and executes a series of URL encoded SQL queries, which when decoded, look like this:
http://manage[dot]webservicekuz[dot]ru/js.js http://stream[dot]webservicesttt[dot]ru/js.js http://media[dot]webservicefull[dot]ru/js.js http://edit[dot]webservicezok[dot]ru/js.js http://redir[dot]webserviceforward[dot]ru/js.js http://shell[dot]webserviceget[dot]ru/js.js http://rid[dot]webservicedevlop[dot]ru/js.js
The SQL attack queries a special table in the SQL server sysobjects and syscolumns in an attempt to get the available “user” tables and fields in the website’s database. Walking through the tables and fields, the attack appends the malicious <script> tag to the selected values, in effect poisoning the website’s database. Once a web page uses a string from the poisoned database, the malicious <script> tag is injected into that web page. When we performed a Google search of this domain, we saw over 5000 websites infected:
So Asprox is back with a vengeance, and doing its typically Asprox-like things, namely spamming and SQL injection. Anyone have a feeling of déjà vu?
Pushdo spams a Trojan that downloads Asprox
Last week, we noticed a high volume malicious spam campaign using a “$50 iTunes Gift Certificate” theme. The spam was emitted from the Pushdo/Cutwail botnet.
This wasn’t the first time we had seen Pushdo using this specific “Gift Certificate” theme. A campaign was first observed in mid May where the Bredolab downloader Trojan was embedded in an RTF (Rich text format) file attachment. Bredolab, also known as Sasfis or Oficla by various antivirus vendors, is known to be responsible for installing the Pushdo/Cutwail spambot, as well as Zbot and fake antivirus on to the infected host.
With this latest iTunes campaign, instead of using an RTF document as the malware container, a ZIP archive was used. Although both the previous and latest spam campaigns contain the same type of downloader Trojan, the payload was different. The previous payload downloaded and installed fake antivirus, while this latest one downloaded and executed Asprox – a spambot we have not seen active for over a year.
The image above shows the downloader contacting its command and control server. The red text shows the downloader “phone home” to its command and control via the domain name funnylive2010.ru. The HTTP GET request incorporates essential bot parameters for the command and control server such as the bot version and ID as well as the date when the bot was installed. The blue text shows the reply from the command server that issues a runurl command to download and execute a binary from a URL link. That URL link points to an Asprox executable. The domain name funnylive2010.ru is hosted behind a fast-flux network where the IP address constantly changes. Here is the Whois information:
domain: FUNNYLIVE2010.RU nserver: ns1.funnylive2010.ru. 220.127.116.11 nserver: ns2.funnylive2010.ru. 18.104.22.168 nserver: ns3.funnylive2010.ru. 22.214.171.124 nserver: ns4.funnylive2010.ru. 126.96.36.199 state: REGISTERED, DELEGATED, VERIFIED person: Private Person phone: +79766512311 e-mail: firstname.lastname@example.org
registrar: NAUNET-REG-RIPN created: 2010.03.14 paid-till: 2011.03.14 source: TCI
Asprox phones home and spams the same Trojan downloader
After the Asprox bot is downloaded and installed in the system, it immediately does some internet connectivity checks by sending SYN packets to ns.uk2.net, www.yahoo.com and www.web.de.com. The bot then attempts to phone home to its command server by sending an HTTP POST request, which looks similar to this:
The command server is again hosted behind a fast-flux network which uses the domain name porsche911start.ru. Here is the Whois lookup:
domain: PORSCHE911START.RU nserver: ns1.porsche911start.ru. 188.8.131.52 nserver: ns2.porsche911start.ru. 184.108.40.206 nserver: ns3.porsche911start.ru. 220.127.116.11 nserver: ns4.porsche911start.ru. 18.104.22.168 state: REGISTERED, DELEGATED, VERIFIED person: Private Person phone: +7976651111 e-mail: email@example.com
registrar: NAUNET-REG-RIPN created: 2010.05.23 paid-till: 2011.05.23 source: TCI
The command server then replies with an encrypted XML file that contains further command and control information, and a spamming template:
In the image above, the Asprox command server domains are listed. Its interesting that Whois lookup information reveal that Pushdo, Bredolab/Oficla/Sasfis and Asprox have something in common – all of the domains they connect to are registered at the same registrar, registered by a “Private Person”, with similar looking phone numbers.
domain: CL63AMGSTART.RU nserver: ns1.cl63amgstart.ru. 22.214.171.124 nserver: ns2.cl63amgstart.ru. 126.96.36.199 nserver: ns3.cl63amgstart.ru. 188.8.131.52 nserver: ns4.cl63amgstart.ru. 184.108.40.206 state: REGISTERED, DELEGATED, VERIFIED person: Private Person phone: +79766512344 e-mail: firstname.lastname@example.org registrar: NAUNET-REG-RIPN created: 2010.05.23 paid-till: 2011.05.23 source: TCI
domain: HYPERVMSYS.RU nserver: ns1.hypervmsys.ru. 220.127.116.11 nserver: ns2.hypervmsys.ru. 18.104.22.168 nserver: ns3.hypervmsys.ru. 22.214.171.124 nserver: ns4.hypervmsys.ru. 126.96.36.199 state: REGISTERED, DELEGATED, VERIFIED person: Private Person phone: +79766512311 e-mail: email@example.com registrar: NAUNET-REG-RIPN created: 2010.03.30 paid-till: 2011.03.30 source: TCI
nserver: ns1.ml63amgstart.ru. 188.8.131.52 nserver: ns2.ml63amgstart.ru. 184.108.40.206 nserver: ns3.ml63amgstart.ru. 220.127.116.11 nserver: ns4.ml63amgstart.ru. 18.104.22.168 state: REGISTERED, DELEGATED, VERIFIED person: Private Person phone: +79766542344 e-mail: firstname.lastname@example.org registrar: NAUNET-REG-RIPN created: 2010.05.23 paid-till: 2011.05.23 source: TCI
At this point, Asprox receives and decrypts an XML file with the filename “COMMON.BIN” and the spamming begins. The spam template received was a fake UPS notification spam campaign.
Here is the decrypted spam template:
And here is the actual spam we received in our spam traps last week sent by the Asprox bot. The spam contains a ZIP attachment of a Bredolab downloader Trojan:
Asprox updates and spam continues
The spam coming from the Asprox botnet dried up temporarily last weekend. However, on the first day of June, the spamming resumed – this time focused on pharmaceutical campaigns.
During our analysis we also noticed that an updated binary was also downloaded. The packet capture below shows the bot downloading an updated version of the Asprox binary from its command and control server. The domain name hypervmsys.ru was again used in this case.
With the help of Pushdo and Bredolab downloader, it seems Asprox has risen from the dead to build another spamming bot network. The above analysis also highlights the intricate relationships between individual malware components, and hint at a common gang behind it all.