Asprox botnet proves to be a resilient foe

Trend Micro checks up on Asprox, which has diversified into fake antivirus installs as well as spam

A botnet that has been in the eye of researchers for years continues to serve up malware, spam and fake antivirus software, according to research by Trend Micro.

The security vendor released a 30-page paper on Asprox, a long-running botnet first seen in 2007 that uses sophisticated engineering to flourish. Asprox seemed to have fallen off the security industry's radar, but it has continued to run spam campaigns spoofing brands such as FedEx, the U.S. Postal Service and American Airlines.

"While these activities continued to make the news, few were connected to the Asprox botnet," according to the report, authored by Nart Villeneuve, Jessa dela Torre and David Sancho. "Even fewer insights into the full botnet's operations were reported.

Asprox's spam campaigns are dual purpose since they also deliver malware through attachments and harmful links, which allows it to continue to grow and gain control of more computers. It also is linked to the "partnerkas," Russian affiliate programs where the botnet operators earn a fee for infecting new computers with fake antivirus software.

Asprox was one of several botnets affected by the shutdown in November 2008 of McColo, a California-based ISP that was providing network connectivity for cybercriminals. Worldwide spam levels dipped for a while, but Asprox and other botnets eventually bounced back.

Trend Micro said that Asprox has been upgraded to make it more effective. It now uses a variety of spam templates in different languages in order to maximize its range of victims.

To combat antispam reputation-based systems, Asprox uses legitimate but compromised email accounts. For malware distribution, Asprox is programmed to automatically scan websites in order to look for vulnerable ones to seed malware, the researchers wrote.

The botnet operators can upload new "modules" to Asprox-infected machines via encrypted updates. The modules include spam templates, lists of websites to scan for vulnerabilities and functions that can decode credentials for FTP clients and email applications.

North America appears to have the most Asprox-infected machines, followed by Europe, the Middle East and Africa, Trend said.

"Our research demonstrates that with modifications, even older, well-known threats can continue to effective," Trend wrote on its blog. "Moreover, it shows that spam botnets remain a crucial component of the malware ecosystem and that cybercriminals are always looking for new ways to adopt in response to defenses."

Send news tips and comments to Follow me on Twitter: @jeremy_kirk

Join the CSO newsletter!

Error: Please check your email address.

Tags trend microsecuritymalware

More about American AirlinesFedExTrend Micro Australia

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts