Posts Tagged ‘Sasfis’

View All Spam

Spammed Malware Ramps Up Again

By Phil Hay  •  February 14th, 2011  •   Spam

It was probably too good to last. The past few months has been blissfully quiet on the spam front, and in particular, spam with accompanying malware. The chart below shows an unusually quiet period during December and January.

However, over the last week, we have seen the return of two familiar-looking malware spam campaigns.

  • Post Express: Package Available
  • United Parcel Service: Notification

While these two campaigns have similar themes, the spam originates from different spambots and has quite different payloads.

Read More

Tags:    |    |    |    |    |    |    |  

View All Spam

Asprox spamming more Sasfis

By Rodel Mendrez  •  November 17th, 2010  •   Spam

Ever since the recent take down attempts of the Pushdo and Bredolab botnets, the volume of malicious spam has dropped substantially. But there is still one major player spamming out malicious executables, namely the Asprox spambot. Malicious spam campaigns purporting to be from DHL, Fedex, UPS or USPS have been spammed by the Asprox botnet ever since it resurrected in the mid 2010. These messages contain zip file attachments containing executable files which are almost exclusively the Trojan Sasfis, a downloader bot.

Asprox DHL Spam campaign

Read More

Tags:    |    |    |    |    |    |  

View All Botnets

Pushdo Botnet Crippled – II

By Phil Hay  •  September 9th, 2010  •   Botnets

Two weeks ago we reported on the sudden drop in spam from the Pushdo botnet as a result of many of its control servers being taken down.  Since then, spam output from this botnet has remained subdued, as the following updated chart shows.

As Pushdo (otherwise known by its spamming component Cutwail) was only responsible for about 10% of spam prior to the takedown, overall spam volumes have not been hugely affected.  It is not uncommon to see 10% volume swings in a day.  Having said that, last week our spam volume index did show slightly reduced overall levels of spam for the week.

Things seem to be warming up, however.  Other researchers have observed more Cutwail control servers being added. Also,  yesterday we saw a resumption of malicious spam from Pushdo with the Sasfis downloader as the payload.  This simply reaffirms our earlier suspicions that these guys will not be down for long.

Tags:    |    |    |    |  

View All Spam

FedEx Spam Seeding New Asprox Binary

By Rodel Mendrez  •  August 28th, 2010  •   Spam

Over the past few days, the Asprox botnet has been spamming out a fake FedEx campaign. We noticed this after we saw our old Asprox binaries downloading a new updated  “196” version from the bot’s command and control server.

This Asprox update is responsible for spamming this week’s FedEx malicious spam campaign.


The attachment in this spam campaign is a downloader Trojan known by some AV products as Oficla or Sasfis. When run, the Trojan retrieves commands from its control server to download the Asprox spambot binary, that in turn, sends this FedEx spam campaign. Below is an graphical overview of this campaign.

Asprox spam campaigns come and go. A couple of months ago we blogged about a spam campaign where the Asprox binary also launched an SQL injection attack targeting ASP websites. A month after, it stopped and the command and control servers were inaccessible. Now it’s back again using the same C&C domain and seeding a new binary. Since the Asprox bot is capable of updating itself on the infected host, our concern is that the next update may launch another round of SQL injection attacks.  We will certainly be monitoring it closely.

Tags:    |    |    |    |    |