Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    March 2013
    S M T W T F S
    « Feb   Apr »
  • Email Subscription

  • About Us

    Archive for March 4th, 2013

    Recently, we shed some light on APT attack tools and how to identify them. Part of our daily tasks as threat researchers revolves around investigating APT actors, and the tools that they utilize to help better protect our customers. The purpose of this blog is to further investigate the tools that APT actors typically use and what they do with them.

    How these tools are used

    While many would think these tools are used during the initial compromise phase of an attack- that is not the case with this post. I will be focusing on the tools that are used after the initial compromise is attained. The following diagram illustrates where these tools are commonly used in a traditional APT lifecycle.

    Figure 1. Traditional APT lifecycle

    Step 1: The attacker sends malware to the victim. This can be done in many ways – an email message with a malicious attachment, a USB flash disk, or a compromised web site are all possibilities.

    Step 2: The malware is executed on the affected system. This may require manual steps by the victim, or it could be done without any intervention using exploits.

    Step 3: When the malware is run, it drops a backdoor such as STARSYPOUND or BOUNCER. These first stage tools push a backdoor to the attacker for later access. (These could be considered first stage tools). It allows the attacker to maintain persistence and get access to the system at a later time.

    Step 4: The attacker then uploads tools to perform data exfiltration, lateral movement, and a litany of other tasks.

    Tools overview

    The tools listed below include some of the tools APT actors use on a daily basis. These tools are typically employed once the APT actor gets access to the victim’s machine via one of the first stage tools listed above. Keep in mind however, that these tools are not inclusive of first stage tools such as backdoors, Trojans, and other categorical tools.

    In addition, this  is not a complete listing of tools since that is  impossible to create based on the ever-changing threat landscape. Many APT actors use custom coded applications that perform similar functionality, and thus may differ from those listed below. Use this list as a baseline of functionality to help identify similar tools in your environment and to demonstrate known tools that are used in common APT campaigns.

    Read the rest of this entry »


    7:12 am (UTC-7)   |    by

    While spam botnets are well-known for sending out unwanted ads, especially for “rogue” pharmaceutical companies, they are also an integral component of malware distribution. In addition to sending out their own malware so that they can increase the size of their botnet, the miscreants behind these operations also earn revenue by installing additional malware supplied by Pay-Per-Install (PPI) affiliates, or “partnerkas”.

    We have examined the operations of the infamous Asprox spam botnet in some detail. Asprox is known for sending spam pretending to be from package delivery companies like FedEx, DHL, and the US Postal Service. While Asprox has only been mentioned sporadically in the past few years, other spam campaigns with similar tactics as well as fake ticket scams using well-known airlines like Delta and American Airlines have received significant attention.

    Relatively few of these campaigns were connected to Asprox. Even fewer insights into the full botnet’s operations were reported. How was this possible? Some modifications were made to Asprox that made it much more effective:

    • It uses a diverse set of spam templates that uses a variety of themes and languages to lure as users into opening malicious attachments or clicking malicious links.
    • It adopted a modular framework (with KULUOZ malware as a dropper) so botnet operators could easily add new features when needed. RC4 encryption was also added to combat network-level detection.
    • It has multiple spamming modules, one of which uses compromised legitimate email accounts to combat anti-spam technologies that utilize reputation systems.
    • It deploys a scanning module that commands compromised computers to scan websites for various vulnerabilities. This is done so it can distribute malware via compromised websites without being caught by web-filtering and reputation technologies.
    • It distributes an information-stealing module that allows it to harvest FTP, website, and email credentials from its victims.

    Read the rest of this entry »

    Posted in Botnets, Malware, Spam | Comments Off on Asprox Reborn


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice