Asprox Botnet Proves to be a Resilient Foe
A botnet that has been in the eye of researchers for years continues to serve up malware, spam and fake antivirus software, according to research by Trend Micro.
Wed, March 06, 2013
IDG News Service — A botnet that has been in the eye of researchers for years continues to serve up malware, spam and fake antivirus software, according to research by Trend Micro.
The security vendor released a 30-page paper on Asprox, a long-running botnet first seen in 2007 that uses sophisticated engineering to flourish. Asprox seemed to have fallen off the security industry's radar, but it has continued to run spam campaigns spoofing brands such as FedEx, the U.S. Postal Service and American Airlines.
"While these activities continued to make the news, few were connected to the Asprox botnet," according to the report, authored by Nart Villeneuve, Jessa dela Torre and David Sancho. "Even fewer insights into the full botnet's operations were reported.
Asprox's spam campaigns are dual purpose since they also deliver malware through attachments and harmful links, which allows it to continue to grow and gain control of more computers. It also is linked to the "partnerkas," Russian affiliate programs where the botnet operators earn a fee for infecting new computers with fake antivirus software.
Asprox was one of several botnets affected by the shutdown in November 2008 of McColo, a California-based ISP that was providing network connectivity for cybercriminals. Worldwide spam levels dipped for a while, but Asprox and other botnets eventually bounced back.
Trend Micro said that Asprox has been upgraded to make it more effective. It now uses a variety of spam templates in different languages in order to maximize its range of victims.
To combat antispam reputation-based systems, Asprox uses legitimate but compromised email accounts. For malware distribution, Asprox is programmed to automatically scan websites in order to look for vulnerable ones to seed malware, the researchers wrote.
The botnet operators can upload new "modules" to Asprox-infected machines via encrypted updates. The modules include spam templates, lists of websites to scan for vulnerabilities and functions that can decode credentials for FTP clients and email applications.
North America appears to have the most Asprox-infected machines, followed by Europe, the Middle East and Africa, Trend said.
"Our research demonstrates that with modifications, even older, well-known threats can continue to effective," Trend wrote on its blog. "Moreover, it shows that spam botnets remain a crucial component of the malware ecosystem and that cybercriminals are always looking for new ways to adopt in response to defenses."
Send news tips and comments to email@example.com. Follow me on Twitter: @jeremy_kirk