Asprox is back!

Security researchers warn of a fast increase in the infected website with spam-botnet Asprox. Asprox botnet is carrying out attack using SQL-injection, which allowed this botnet to double its presence on the service provider’s access application. For one night the number of compromised resources increased from 5 to 11 thousand.

The botnet usually starts by scanning the network searching for a vulnerable host and if it detects a vulnerable website it conducts an attack on the targeted hosts.

M86 Security Company are currently monitoring and tracking the new threat. On a blog post Rodel Mendrez reported that the pattern of Asprox behavior have changed, while previously it used only to send spams, now it is implementing a massive SQL-injection.

As of this writing, there are three fast-flux domains that the bot attempts to contact.

CL63AMGSTART.RU
HYPERVMSYS.RU
ML63AMGSTART.RU

These three servers are the bot command and control servers, by analyzing the malware binary there are SQL statement as the picture shows:

By decrypting the XML file which the bot receives. Screen shot shows information about the targeted website:

And finally a simple search on Google shows that more than 5000 websites already infected.

As you can see that criminals are always searching for new ways to spread their malwares.

make sure you subscribe to my RSS feed!

Share
You can leave a response, or trackback from your own site.
  • Pingback: Tweets that mention Asprox is back! | SecTechno -- Topsy.com

  • Pingback: Howard Fuhs

  • Pingback: Chad Choron

  • Pingback: SecurityInBOX

  • Pingback: Mourad Ben Lakhoua

  • Pingback: Michael Hoffman

  • Pingback: Bev Robb

  • Pingback: cubitouch

  • Pingback: Kemppinen Jani

  • Pingback: Mourad Ben Lakhoua

  • Pingback: Aldo Albuquerque