Since its emergence in 2007, Trojan.Asprox has remained one of the most prolific botnets on the threat landscape. During this time it has evolved into a formidable threat encompassing new functionalities which have been well documented within the information security industry. While always maintaining a presence on the threat landscape, since late last year the Asprox botnet has resurged and has been steadily increasing its numbers as a result of ongoing self-propagating spam campaigns.
Now Symantec has observed Trojan.Asprox.B, adding yet another new module to its arsenal in the form of a URL viewer that is used to push advertising pages to a victim’s browser. To date, we have observed Asprox push casino, loan, mobile spyware, and pornographic adverts to unwilling victims’ browsers. In this blog, we look at how the URLViewer module works, what ads it is currently pushing, and briefly look at some of the other activities that the Asprox botnet gets up to.
Figure 1. Example of a spam email containing an Asprox attachment
On July 28, 2014, Symantec observed the URLViewer.dll (Trojan.Asprox.B) module being pushed out to the Asprox botnet. Shortly after that a newer second version containing a mutex was pushed out. While there have been reports of Asprox using a separate downloaded binary to load Web pages in the past, this new module has been specifically created for use with Trojan.Asprox. Similar to other Asprox modules, to run, it gets injected into a new Svchost.exe process. Once injected, it will then connect to the Asprox command-and-control (C&C) server to receive advertising Web page links.
Figure 2. IP addresses and port numbers of C&C servers hardcoded into URLViewer.dll module
The module will then try to find an active browser (Internet Explorer, Firefox, Opera, Safari, or Chrome). If successful, the advertising Web page link that was sent by the C&C server will be displayed within the browser. It will then sleep for a further 420 seconds before making another request to the C&C server for the next advertising Web page link.
While the Asprox botnet has it fingers in many different money making pies, it is notorious for sending spam emails. While monitoring the Asprox botnet over the last several months, Symantec has observed the botnet sending out thousands of spam advertisement emails.
Figure 3. Example of Asprox spam advertisement emails
The Asprox botnet is also known to engage in click fraud and other advertisement fraud by downloading different binaries onto compromised computers. With this new Asprox URLViewer.dll module, to date we have observed Asprox pushing out casino, loan, mobile spyware, and pornographic adverts.
Figure 4. Asprox adverts being pushed out and opened in Web browsers
So how is Asprox making money from these advertisements? Affiliate marketing rewards an affiliate a referral commission for each visitor or customer brought to the site as a result of the affiliate’s marketing efforts. The cybercriminals behind the Asprox botnet are either renting out this service to other affiliates or they themselves are registered affiliates and are making money through pushing these advertisements to unsuspecting victims’ browsers.
While these adverts might just seem like an annoyance to some, in 2007 a substitute teacher faced prison time for endangering students to pornographic material displayed on a classroom computer as a result of a spyware infection. While eventually acquitted, this case highlights just how harmful unwanted advertisements, as a result of a malware infection, can be.
Symantec telemetry shows that at present we block thousands of Asprox infections on a daily basis in over 177 countries. The United States makes up the majority of these detections followed by the United Kingdom, Japan, Australia, Canada, India, Italy, and the Netherlands.
Figure 5. Symantec telemetry for Asprox global detections
Symantec customers are protected against Asprox by the following detections:
Intrusion prevention signatures
Asprox has also been responsible in part for the recent increase in Downloader.Ajuxer, Trojan.Cidox, Downloader.Ponik, and Trojan.FakeAV infections. This is due to secondary infections as a result of Asprox downloading these threats onto already infected computers.
Symantec customers that use the Symantec.Cloud service are also protected from the spam messages used to deliver this malware. For the best possible protection, Symantec customers should ensure that they are using the latest Symantec technologies incorporated into our consumer and enterprise solutions. As always, users should refrain from clicking on links and opening attachments in emails from unknown senders.