Asprox botnet

Last updated

The Asprox botnet (discovered around 2008), also known by its aliases Badsrc and Aseljo, is a botnet mostly involved in phishing scams and performing SQL injections into websites in order to spread malware. [1] It is a highly infectious malware which spreads through an email or through a clone website. It can be used to trace any kind of personal or financial information and activities online. [2] [3]

Contents

Operations

Since its discovery in 2008 the Asprox botnet has been involved in multiple high-profile attacks on various websites in order to spread malware. The botnet itself consists of roughly 15,000 infected computers as of May, 2008, [4] although the size of the botnet itself is highly variable as the controllers of the botnet have been known to deliberately shrink (and later regrow) their botnet in order to prevent more aggressive countermeasures from the IT Community. [5]

The botnet propagates itself in a somewhat unusual way, as it actively searches and infects vulnerable websites running Active Server Pages. Once it finds a potential target the botnet performs a SQL injection on the website, inserting an IFrame which redirects the user visiting the site to a site hosting Malware. [4] [6]

The botnet usually attacks in waves - the goal of each wave is to infect as many websites as possible, thus achieving the highest possible spread rate. Once a wave is completed the botnet lay dormant for an extended amount of time, likely to prevent aggressive counterreactions from the security community. The initial wave took place in July, 2008, which infected an estimated 1,000 - 2,000 pages. [7] [8] An additional wave took place in October 2009, infecting an unknown number of websites. Another wave took place in June 2010, increasing the estimated total number of infected domains from 2,000 to an estimated 10,000 - 13,000 within a day. [9] [10] [11]

Notable high-profile infections

While the infection targets of the Asprox botnet are randomly determined through Google searches, some high-profile websites have been infected in the past. Some of these infections have received individual coverage.

See also

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

Bagle was a mass-mailing computer worm affecting Microsoft Windows. The first strain, Bagle.A, did not propagate widely. A second variant, Bagle.B, was considerably more virulent.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

<span class="mw-page-title-main">Scareware</span> Malware designed to elicit fear, shock, or anxiety

Scareware is a form of malware which uses social engineering to cause shock, anxiety, or the perception of a threat in order to manipulate users into buying unwanted software. Scareware is part of a class of malicious software that includes rogue security software, ransomware and other scam software that tricks users into believing their computer is infected with a virus, then suggests that they download and pay for fake antivirus software to remove it. Usually the virus is fictional and the software is non-functional or malware itself. According to the Anti-Phishing Working Group, the number of scareware packages in circulation rose from 2,850 to 9,287 in the second half of 2008. In the first half of 2009, the APWG identified a 585% increase in scareware programs.

<span class="mw-page-title-main">Storm Worm</span> Backdoor Trojan horse found in Windows

The Storm Worm is a phishing backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007. The worm is also known as:

Torpig, also known as Anserin or Sinowal is a type of botnet spread through systems compromised by the Mebroot rootkit by a variety of trojan horses for the purpose of collecting sensitive personal and corporate data such as bank account and credit card information. It targets computers that use Microsoft Windows, recruiting a network of zombies for the botnet. Torpig circumvents antivirus software through the use of rootkit technology and scans the infected system for credentials, accounts and passwords as well as potentially allowing attackers full access to the computer. It is also purportedly capable of modifying data on the computer, and can perform man-in-the-browser attacks.

<span class="mw-page-title-main">Storm botnet</span> Computer botnet

The Storm botnet or Storm worm botnet was a remotely controlled network of "zombie" computers that had been linked by the Storm Worm, a Trojan horse spread through e-mail spam. At its height in September 2007, the Storm botnet was running on anywhere from 1 million to 50 million computer systems, and accounted for 8% of all malware on Microsoft Windows computers. It was first identified around January 2007, having been distributed by email with subjects such as "230 dead as storm batters Europe," giving it its well-known name. The botnet began to decline in late 2007, and by mid-2008 had been reduced to infecting about 85,000 computers, far less than it had infected a year earlier.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

Koobface is a network worm that attacks Microsoft Windows, Mac OS X, and Linux platforms. This worm originally targeted users of networking websites like Facebook, Skype, Yahoo Messenger, and email websites such as GMail, Yahoo Mail, and AOL Mail. It also targets other networking websites, such as MySpace, Twitter, and it can infect other devices on the same local network. Technical support scammers also fraudulently claim to their intended victims that they have a Koobface infection on their computer by using fake popups and using built-in Windows programs.

The Grum botnet, also known by its alias Tedroo and Reddyb, was a botnet mostly involved in sending pharmaceutical spam e-mails. Once the world's largest botnet, Grum can be traced back to as early as 2008. At the time of its shutdown in July 2012, Grum was reportedly the world's third largest botnet, responsible for 18% of worldwide spam traffic.

Waledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam and malware. In March 2010 the botnet was taken down by Microsoft.

<span class="mw-page-title-main">Malvertising</span> Use of online advertisement or advertising to spread malware

Malvertising is the use of online advertising to spread malware. It typically involves injecting malicious or malware-laden advertisements into legitimate online advertising networks and webpages. Because advertising content can be inserted into high-profile and reputable websites, malvertising provides malefactors an opportunity to push their attacks to web users who might not otherwise see the ads, due to firewalls, more safety precautions, or the like. Malvertising is "attractive to attackers because they 'can be easily spread across a large number of legitimate websites without directly compromising those websites'."

Sality is the classification for a family of malicious software (malware), which infects files on Microsoft Windows systems. Sality was first discovered in 2003 and has advanced over the years to become a dynamic, enduring and full-featured form of malicious code. Systems infected with Sality may communicate over a peer-to-peer (P2P) network to form a botnet for the purpose of relaying spam, proxying of communications, exfiltrating sensitive data, compromising web servers and/or coordinating distributed computing tasks for the purpose of processing intensive tasks. Since 2010, certain variants of Sality have also incorporated the use of rootkit functions as part of an ongoing evolution of the malware family. Because of its continued development and capabilities, Sality is considered to be one of the most complex and formidable forms of malware to date.

Defence Intelligence, often referred to as Defintel, is an information security company based in Ottawa, Ontario, Canada. The company characterizes itself as offering services for "advanced compromise protection." Their marketing materials describe their services as being for the detection and prevention of compromised systems on a network, and include their Nemesis Compromise Protection (Nemesis) and Harbinger Compromise Assessment (Harbinger) services.

ZeroAccess is a Trojan horse computer malware that affects Microsoft Windows operating systems. It is used to download other malware on an infected machine from a botnet while remaining hidden using rootkit techniques.

<span class="mw-page-title-main">Seculert</span> Israeli cloud-based cyber security technology

Seculert is a cloud-based cyber security technology company based in Israel. The company's technology is designed to detect breaches and Advanced Persistent Threats (APTs), attacking networks. Seculert's business is based on malware research and the ability to uncover malware that has gone undetected by other traditional measures.

Mirai is a malware that turns networked devices running Linux into remotely controlled bots that can be used as part of a botnet in large-scale network attacks. It primarily targets online consumer devices such as IP cameras and home routers. The Mirai botnet was first found in August 2016 by MalwareMustDie, a white hat malware research group, and has been used in some of the largest and most disruptive distributed denial of service (DDoS) attacks, including an attack on 20 September 2016 on computer security journalist Brian Krebs' website, an attack on French web host OVH, and the October 2016 Dyn cyberattack. According to a chat log between Anna-senpai and Robert Coelho, Mirai was named after the 2011 TV anime series Mirai Nikki.

<span class="mw-page-title-main">MalwareMustDie</span> Whitehat security research workgroup

MalwareMustDie, NPO is a whitehat security research workgroup that was launched in August 2012. MalwareMustDie is a registered nonprofit organization as a medium for IT professionals and security researchers gathered to form a work flow to reduce malware infection in the internet. The group is known for their malware analysis blog. They have a list of Linux malware research and botnet analysis that they have completed. The team communicates information about malware in general and advocates for better detection for Linux malware.

<span class="mw-page-title-main">Cryptojacking</span> Hijacking computers to mine currency

Cryptojacking is the act of hijacking a computer to mine cryptocurrencies against the user's will, through websites, or while the user is unaware. One notable piece of software used for cryptojacking was Coinhive, which was used in over two-thirds of cryptojacks before its March 2019 shutdown. The cryptocurrencies mined the most often are privacy coins—coins with hidden transaction histories—such as Monero and Zcash.

References

  1. Leyden, John (2009-02-03). "ASProx botnet dials into Conficker domains". .theregister.co.uk. London, UK: The Register . Retrieved 2014-01-09.
  2. "Asprox botnet, a long-running nuisance, disappears".
  3. "Re: Elaborate Scam".
  4. 1 2 Goodin, Dan (2008-05-14). "Botnet sics zombie soldiers on gimpy websites; More SQL injection insanity". .theregister.co.uk. London, UK: The Register . Retrieved 2014-01-09.
  5. Hines, Matthew (2009-10-06). "Botnets - Asprox Botnet Attacks Come Back - eWeek Security Watch". Securitywatch.eweek.com. Retrieved 2010-07-30.
  6. Michael Zino (2008-05-01). "ASCII Encoded/Binary String Automated SQL Injection Attack". bloombit.com. Archived from the original on 2008-06-01. Retrieved 2011-03-21.
  7. Sue Marquette Poremba (2008-05-15). "Asprox botnet malware morphs". SC Magazine US. Archived from the original on 1 July 2010. Retrieved 2010-07-30.
  8. 1 2 "Asprox Botnet Mass Attack Hits Governmental, Healthcare, and Top Business Websites". CyberInsecure.com. 2008-07-18. Retrieved 2010-07-30.
  9. David Neal. "Asprox botnet causing serious concern - V3.co.uk - formerly vnunet.com". V3.co.uk. Archived from the original on 1 July 2010. Retrieved 2010-07-30.
  10. "Researchers: Asprox Botnet Is Resurging - botnets/Attacks". DarkReading. 15 July 2010. Archived from the original on 19 July 2010. Retrieved 2010-07-30.
  11. "Papers | SpiderLabs | About Us | Trustwave" (PDF). M86security.com. 2008-10-29. Archived from the original (PDF) on 2012-04-10. Retrieved 2014-01-09.
  12. "Sony PlayStation's site SQL injected, redirecting to rogue security software". ZDNet. 2008-07-02. Archived from the original on 12 August 2010. Retrieved 2010-07-30.
  13. "Adobe's Serious Magic site SQL Injected by Asprox botnet". ZDNet. Archived from the original on 5 August 2010. Retrieved 2010-07-30.


This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.