1. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 1
Two years of tracking
the Asprox botnet
Michal Ambrož
2. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 2
Intro
● Contact
rebus AT seznam.cz
● Blogpost with history of Asprox
http://rebsnippets.blogspot.com/asprox
● Tracker of Asprox C2 and malware corpus
http://atrack.h3x.eu
● This presentation
http://atrack.h3x.eu/doc/presentation.pdf
● @xambroz
3. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 3
Asprox - End of the presentation :D
● Asprox C2 Tier2 infrastructure stopped responding
in January 2015
● last successful response at
2015-01-19T13:45:04.231878 GMT
● some C2 Tier1 servers are being reused for
Geodo/Dridex botnet since December 2014
● mailing infrastructure still somehow works, but
malware doesn't get distributed anymore
● Is this The end of Asprox botnet?
4. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 4
Agenda
● brief history of Asprox Botnet
● high level overview of the botnet infrastructure
● distribution channels
● zombie host
● C2 infrastructure
● modules infrastructure
● Q&A
5. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 5
About Asprox botnet
● rather smaller botnet
● cca 25 000 zombie hosts (December 2014)
● phishing email to download / open malware
● download additional malware modules
● steal passwords
● spread 3rd party malware
● spread advertisement
● hack websites to spread mail/download/C2
infrastructure
6. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 6
Asprox - the brief history
2007 - First recognized by security researchers
2008 - Asprox mass using of SQL injection to infect ASP
pages
– modules using Google to search for new hosts to attack
2009 - Asprox - another wave of mass SQL injecting
2012 - Asprox started using Kuluoz downloader
– plaintext protocol communicating to C2, RC4 encrypted DLL modules
2013 - Asprox using RC4 encrypted requests to C2
2013-08 - 2013-10 Kuluoz using new encryption of payload
2013-10 - 2015-01 Kuluoz using second encryption RSA+RC4
2015-01 Asprox botnet disappeared in a puff of smoke
10. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 10
Asprox - Victim - more mail templates 2013
11. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 11
Asprox - Victim - more mail templates 2014
More email samples on:
https://techhelplist.com/index.php/spam-list/
http://malware-traffic-analysis.net
12. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 12
Asprox - download links 2013
● 2013 links were having common part
● probably used for some referral purpose
– http://925geek[.]com/img/get.php?get_info=521_585240407
– http://adarshlifecare[.]org/img/get.php?get_info=ss00_323
– http://billwhiteart[.]com/img/get.php?get_info=ss00_323
– http://depro[.]co/img/get.php?info=888_449980528
– http://donpoyser[.]com/img/get.php?get_info=ss00_323
13. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 13
Asprox - download links 2013
● attribute name used to switch the zip naming template to fit the
email templates
● seen also campaigns with RewriteRule
Request Campaign sample Name of Exe
?ticket= American
Airlines
http://andiburns.de/img/get.php?ticket=ss00_323 Electronic Ticket.exe
?get_info= DHL http://andiburns.de/img/get.php?
get_info=ss00_323
Shipment_Status_008436
284830.exe
?info= DHL http://andiburns.de/img/get.php?info=ss00_323 Shipment_Status_008436
284830.exe
?i_info= Fedex http://andiburns.de/img/get.php?i_info=ss00_323 Shipment Label.exe
?receipt= Fedex http://andiburns.de/img/get.php?
receipt=ss00_323
Postal Receipt
No00843412843.exe
?receipt_print= Fedex http://andiburns.de/img/get.php?
receipt=ss00_323
Postal Receipt
No00843412843.exe
?print= Fedex http://andiburns.de/img/get.php?
receipt=ss00_323
Postal Receipt
No00843412843.exe
14. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 14
Asprox - download links 2014
● identifiers are unique per site
● identifiers probably unique per email
● attributes got simpler - like ?c=..., ?t=, ?w=, ?fd= ?fdx=
● seen also campaigns with RewriteRule
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E1auYixfO9vaMVEqAH0Hg8
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E1H2RoUa//VCh/3JqqQjpU
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E1HtXZZw0NERZgU4L5ntoQ
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E1KhTWm5zFQEAie6qp+2Ps
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E1t4Emn414AdywVUPc0/uI
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E26bHf/UAtQa5IeyOoTrQ0
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E2CJhKxJ0kmeLEiRcdYuFQ
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E+2RlboMFbZbfmjy5cj+gg
example.com/view.php?ez=Xfdn1VIeLYsu3XXXXXXi7E35QpmplQVMrfKLOjb3/QU
[thanks J for the sample links :)]
15. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 15
Asprox - Victim - ZIP with EXE
● downloaded ZIP contains EXE
● EXE has icon of some well-known application
● since late 2013 the zip/exe are GeoIP aware of the
downloading client
17. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 17
Asprox - Corpus of malware
http://atrack.h3x.eu/corpus/2 - cca 18 000 EXE samples
http://atrack.h3x.eu/corpus/2/18370 - 2012-08-15 13:36
18. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 18
Asprox - Calling home 2012
● This is actually the oldest sample in corpus - 2012
926af24d2a9a7bc64e22a6ac5857609a
● 8 chars RC4 key
● rest is encrypted request
http://203.130.129.58:84/00cd1a40FA511365883ACEB58B05
5EA44882D5E2D24B9BB24D7949BCECDEA40E850DB1FCC73
97577E90756ED3EC925691223BC8E3A25F2B211169BAF86A0
A20919FFE3BB6FCB
● Decrypts as:
http://203.130.129.58:84/index.php?
r=gate&id=00cd1a40&group=n1508rcm&debug=0&ips=127.0.0.1
19. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 19
Asprox - Calling home 2013
● well described in TrendMicro - Asprox Reborn research paper
http://www.trendmicro.com/cloud-content/us/pdfs/security-
intelligence/white-papers/wp-asprox-reborn.pdf
● id in request changed to full 32chars (16 bytes in hexa) of MD5
machine id
● RC4 key stayed to be 8 chars (first 8 of the machineid)
● response from C2 is in plaintext
21. Asprox - calling home 2013
● Requests:
– r=gate
– r=gate/getipslist
● Commands:
– idl - wait
– rdl - download and run DLL
– run - download run executable
– rem - remove the malware
– red - registry edit
– upd - download new version and update
22. Asprox - late 2013 encryption scheme
● encryption used cca September - December 2013 was
described by StopMalwaretising:
http://stopmalvertising.com/malware-reports/analysis-of-asprox-and-its-new-encryption-scheme.html
● POST request (used to be GET)
● RC4 encryption of URI remained
● parameters are sent in the body
● payload having RSA encrypted session key + data parts
formatted multipart/form-data file submissions
● request parameters encoded in the XML
● <knock><id>%s</id><group>%s</group><src>
%d</src><transport>%d</transport><time>%d</time><version>
%d</version><status>%d</status><debug>
%s</debug></knock>
24. Asprox - 2014 encryption scheme
● Described by Herrcore - Inside The New Asprox/Kuluoz
http://herrcore.blogspot.ca/2014/01/inside-new-asproxkuluoz-october-2013.html
● POST request
● RC4 encrypted URI remained
● later in 2014 the URI was only encrypted /index.php
● then it was switchet to plaintext /index.php
● RSA key remained
● payload of the request is in binary format
●
4B len(key) RSA encrypted RC4 key 4B len(data) RC4 encrypted data
26. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 26
Asprox - download infrastructure - Tier1
● compromised web-servers with PHP
● PHP script works as a proxy
● repacks request and sends it to the backend
servers
● if back-end is not available throws HTTP404
● mimics 404 of the compromised website
27. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 27
Asprox - 2013 - php download script
● Samples:
May 2013 - pointing to 62.109.31.142
● http://forum.ubuntu.cz/index.php?topic=67954.0
● http://security.stackexchange.com/questions/35983/malic
ious-links-that-respond-to-browsers-but-not-curl-or-wge
t
Jun-Nov 2013 - pointing to 78.138.118.124-127
● http://pastie.org/pastes/8219244
30. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 30
Asprox - 2013 - php download script
● Error handling function
function error_404()
{
header("HTTP/1.1 404 Not Found");
exit("<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML
2.0//EN">rn"
."<html><head><title>404 Not
Found</title></head><body>rn"
."<h1>Not Found</h1>rn"
."<p>The requested URL was not found on this
server.</p>rn"
."<hr>rn"
."</body></html>rn");
}
33. Asprox - download script obfuscation
● For example:
$ip=NULL
● Becomes
${"GLOBALS"}["kyhshvku"]="ip";
${${"GLOBALS"}["kyhshvku"]}=NULL;
● Then
${"x47Lx4fBx41x4cx53"}
["x6bx79x68x73x68x76kx75"]="x69p";
${${"x47Lx4fx42Ax4cx53"}
["x6bx79x68x73hx76x6bu"]}=NULL;
34. Asprox - download infrastructure - Tier2
● modified proxy script from the Tier1
● adds another layer of complexity
● seems to be used since Jun 2013
● was reusing some former Tier2 servers as Tier3
2
35. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 35
Asprox - download infrastructure - Tier3
● tracking clients
● allows only limited number of downloads from
same IP
● allows only few (cca 5) downloads to each link
● blocks AV vendors' automated scanners
● in 2013 the download was serving directly apk
installations of FakeAV if access was from Android
3
37. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 37
Asprox - mailing infrastructure 2013
● in 2013 the mailing was mainly from botnet
zombies
● special spamming module distributed by Asprox
● downloads templates from the C2 server and uses
it for spamming
● in August 2013 the C2 servers stopped responding
to the template requests
38. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 38
Asprox - mailing infrastructure 2014
● in 2014 Asprox misusing compromised web-servers
● malicious PHP script for sending spam
● contains also backdoor
● orchestrated from limited number of IP addresses
● Samples:
http://forum.directadmin.com/showthread.php?t=48038
http://www.apañados.es/images/ampliadas/kayuwvf.txt
http://www.unphp.net/decode/ee10f7511e1f4737ae4a67d
79417ca2a/
http://codetidy.com/4374
42. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 42
Asprox - Command And Control infrastructure
43. Asprox - Command And Control infrastructure
● Tracker: http://atrack.h3x.eu/
● misusing Linux servers with leaked root password
● SSH to root is used to copy install script
● install script installs gcc toolset
● downloads nginx
● compiles it
● starts nginx doing proxy_pass to Tier2
infrastructure
● decoy security research:
– configuration is changed after start
– nginx binaries are deleted
– installation scripts are deleted
44. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 44
Asprox - C2 Tier1 - nginx installation #1
● 2013 sample of install script can be found on
http://www.linuxquestions.org/questions/linux-security
-4/remove-asprox-botnet-controller-from-linux-server-4
175466422/
● 2014 install script overwrites the real with fake
configuration
● It starts with installing the devel tools
killall nginx
if which yum >/dev/null; then
yum -y install gcc make nano
fi
if which aptitude >/dev/null; then
aptitude update && aptitude -q -y install gcc make nano
fi
48. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 48
Asprox - C2 Tier1 - incident response
● Identify process running on the port 8080
lsof -i -n -P | grep LISTEN | grep 8080
● Identify Tier2 from network traffic
wget http://localhost:8080 --header "Test=AAAAAAAAA"
tcpdump -X src [[MY_IP]]
● Take snapshot of a process for analysis
gdb /proc/18466/exe 18466
gdb> gcore
gdb> detach
gdb> quit
49. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 49
Aprox - Top 50 countries as clients to C2
● log data from one of Tier1 C2
● 27000 clients during period of 2 months (2014 06-08)
● english speaking countries
50. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 50
Asprox - C2 Tier2
● 2013
RU 31.184.244.52:3306
DE 144.76.42.72:8880
DE 46.165.222.36:3306
● 2014
UA 194.44.49.28:3306
RO 94.199.48.245:3306
2
52. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 52
Asprox - modules
● List of detected modules:
http://atrack.h3x.eu/corpus/8
● Analysis of modules:
● 2013 - Trendmicro
http://www.trendmicro.com/cloud-content/us/pdfs/security-intellig
ence/white-papers/wp-asprox-reborn.pdf
● 2014 - StopMalvaretising.com
http://stopmalvertising.com/malware-reports/a-journey-inside-the
-asprox-modules.html
53. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 53
Asprox - modules
● DLL modules distributed as response to C2 request
● 2013 - link to a module was distributed by the C2 as
response to update request. The modules were
distributed encrypted with RC4. Key to decrypt was
part of C2 response.
● 2014 - full DLL is sent back in C2 response,
bzip.base64 encoded, C2 response is encrypted
with RC4
54. Asprox - modules infrastructure
● some of the modules using C2 infrastructure
● some of the modules use its own set of backend
servers
● backend servers again using nginx proxies
● some of them different versions
56. Brno 2015 / 04 / 11 Security-Session.cz - Asprox botnet 56
Outro :D
● Contact
rebus AT seznam.cz
● Blogpost with history of Asprox
http://rebsnippets.blogspot.com/asprox
● Tracker of Asprox C2 and malware corpus
http://atrack.h3x.eu
● This presentation
http://atrack.h3x.eu/doc/presentation.pdf
● @xambroz