Asprox, a.k.a. Zortob, is an old botnet that was uncovered in 2007. It is known to spread by arriving as an attachment in spam emails that purport to be from well-known companies. The attachment itself is disguised as a legitimate document file by using icons such as those of a .doc or .pdf file. Figure 1. Asprox malware posing as a Microsoft Word document. This blog post will give an overview on Asprox's functionality with a focus on the changes in its communication with the command-and-control (C&C) server, including a new C&C command,... [Read More]
by RSS Long Tran  |  Jul 28, 2014  |  Filed in: Security Research
Do you remember Asprox, the botnet that used SQL injection attacks combined with result from search engine like Google to automatically infect Microsoft IIS powered websites? We did a talk (slides) at last Virus Bulletin about that, and for about a month now, we've been seeing some new variants in the wild. Like last December, a blind SQL injection targeting ASP pages using Transact SQL is attempted using the following chain as a request argument: DECLARE%20@S%20VARCHAR(4000);SET%20@S=CAST(0x4445434C41524520405420564...%20AS%20VARCHAR(4000));EXEC(@S) Once... [Read More]
by RSS David Maciejak  |  Nov 06, 2009  |  Filed in: Security Research