While spam botnets are well-known for sending out unwanted ads, especially for “rogue” pharmaceutical companies, they are also an integral component of malware distribution. In addition to sending out their own malware so that they can increase the size of their botnet, the miscreants behind these operations also earn revenue by installing additional malware supplied by Pay-Per-Install (PPI) affiliates, or “partnerkas”.
We have examined the operations of the infamous Asprox spam botnet in some detail. Asprox is known for sending spam pretending to be from package delivery companies like FedEx, DHL, and the US Postal Service. While Asprox has only been mentioned sporadically in the past few years, other spam campaigns with similar tactics as well as fake ticket scams using well-known airlines like Delta and American Airlines have received significant attention.
Relatively few of these campaigns were connected to Asprox. Even fewer insights into the full botnet’s operations were reported. How was this possible? Some modifications were made to Asprox that made it much more effective:
- It uses a diverse set of spam templates that uses a variety of themes and languages to lure as users into opening malicious attachments or clicking malicious links.
- It adopted a modular framework (with KULUOZ malware as a dropper) so botnet operators could easily add new features when needed. RC4 encryption was also added to combat network-level detection.
- It has multiple spamming modules, one of which uses compromised legitimate email accounts to combat anti-spam technologies that utilize reputation systems.
- It deploys a scanning module that commands compromised computers to scan websites for various vulnerabilities. This is done so it can distribute malware via compromised websites without being caught by web-filtering and reputation technologies.
- It distributes an information-stealing module that allows it to harvest FTP, website, and email credentials from its victims.
Although Asprox has mostly targeted North American users, it also sends out spam messages to European users in German and Spanish.
Figure 1: Asprox malware detection by region
Figure 2: Asprox-related spam campaign detection by region
Our research demonstrates that with modifications, even older, well-known threats can continue to effective. Moreover, it shows that spam botnets remain a crucial component of the malware ecosystem and that cybercriminals are always looking for new ways to adopt in response to defenses.
Our full findings are contained in the full Asprox Reborn research paper, which you can download here.