Third time's a charm for reborn Asprox botnet

Shades of Red October says security analyst

Third time's a charm for reborn Asprox botnet
Third time's a charm for reborn Asprox botnet

The Asprox botnet has been through another fade-and-resurface cycle, this time generating a raft of infected spam posing as an invitation to a funeral.

The botnet first surfaced in 2007 before disappearing in 2011, and then burst back into life in 2012. Now,  reports suggest that botnet-using criminals have now moved back to Asprox once more as part of a new scam.

In March of last year, Trend Micro researchers Nart Villeneuve, Jessa dela Torre and David Sancho wrote an in in-depth analysis of the Asprox spam botnet, after it resurfaced for a second time.

In their `Asprox Reborn' analysis, the researchers said that Asprox was notable for generating malware-riddled spam that allowed it to grow and use compromised computers to perform tasks - and so keep it operational.

The Trend Micro report noted that, although Asprox had been analysed by the security community in its first five years of operation, it had largely flown under the radar because its spamming component had been incorporated as a `second-stage' plug-in.

As a result, the researchers concluded that Asprox's continued operation proved that spam botnets remain a crucial component of the malware ecosystem, with cybercriminals always looking for new methods to adopt in response to security defences.

Fast forward to this week and Fred Touchette, a senior security analyst with AppRiver, says that botnet-using cybercriminals have jumped ship from Blackhole - following the arrest of the exploit kit's author last October - and moved back to Asprox.

He says that the latest ploy poses as a funeral invite which, while failing to mention the name of the deceased, details the time, date and fictitious funeral home of Eubank Funeral Home & Cremation Services. Further details can be found, predictably, via a web link.

Touchette says that, as has also been the case in the past, the malicious host utilizes IP geo-location to customise the malicious payload to appear to be local to the recipient.

“The file that I received is named `FuneralCeremony_Gulf_Breeze_32561.zip' - which is the city and zip code that I am currently in," he says in his analysis.

"After all of the initial formalities the malware invites all of its other friends to the party and they start going through all of the victim's things stealing things like browsing histories and cookies, account credentials and passwords and whatever else that catches their attention," he adds.

According to veteran security analyst Kevin Bailey, now with security vendor Clearswift, the spam generated by this latest incarnation of Asprox is smarter than seen previously, as it switches away from the lure of `you have won £1,000' over to an invite to a funeral.

"This means that people's emotions take over and they read the email, then click through to discover who the person was and where the funeral is taking place," he told SCMagazineUK.com.

"This type of dialogue clearly takes a more psychological approach to the task of luring the visitor. Most people, especially at this time of the year, are under pressure at work, so they will rapidly click through and infect themselves.”

Former IDC analyst Bailey added this hybrid approach to infection is similar to other malware such as Red October, first seen in October 2012.

"With Red October, the malware was polymorphic in nature, with data being sent to multiple command-and-control (C&C) servers, which then work as proxies," he said, adding that trying to keep ahead of the Web of technology used by cybercriminals has become a far more complex task with threats such as Asprox and Red October around.

Sign up to our newsletters