Botnet Thriving after Six Years

Monday, March 11, 2013 @ 06:03 PM gHale


A botnet that has been around for six years continues to pass out malware, spam and fake antivirus software, according to Trend Micro research.

Asprox, a long-running botnet first seen in 2007 uses sophisticated engineering to flourish, Trend Micro researchers said in a 30-page paper.

RELATED STORIES
New RAT in Beta
RAT Looks Innocent, but it Attacks
Malware Spreads through Skype
Dorkbot Worm Goes Global

Asprox seemed to have fallen off the security industry’s radar, but it has continued to run spam campaigns spoofing brands such as FedEx, the U.S. Postal Service and American Airlines.

“While these activities continued to make the news, few were connected to the Asprox botnet,” according to the report, authored by Nart Villeneuve, Jessa dela Torre and David Sancho. “Even fewer insights into the full botnet’s operations were reported.”

Asprox’s spam campaigns are dual purpose since they also deliver malware through attachments and harmful links, which allows it to continue to grow and gain control of more computers. It also has links to the “partnerkas,” Russian affiliate programs where the botnet operators earn a fee for infecting new computers with fake antivirus software.

Asprox was one of several botnets affected by the shutdown in November 2008 of McColo, a California-based ISP that was providing network connectivity for cybercriminals. Worldwide spam levels dipped for a while, but Asprox and other botnets eventually bounced back.

Trend Micro said Asprox now has an upgrade that makes it more effective. It now uses a variety of spam templates in different languages in order to maximize its range of victims.

To combat antispam reputation-based systems, Asprox uses legitimate but compromised email accounts. For malware distribution, Asprox’s programming allows it to automatically scan websites in order to look for vulnerable ones to seed malware, the researchers wrote.

The botnet operators can upload new “modules” to Asprox-infected machines via encrypted updates. The modules include spam templates, lists of websites to scan for vulnerabilities and functions that can decode credentials for FTP clients and email applications.

North America appears to have the most Asprox-infected machines, followed by Europe, the Middle East and Africa, Trend Micro said.

“Our research demonstrates that with modifications, even older, well-known threats can continue to effective,” Trend Micro researchers said. “Moreover, it shows that spam botnets remain a crucial component of the malware ecosystem and that cybercriminals are always looking for new ways to adopt in response to defenses.”



Leave a Reply

You must be logged in to post a comment.