Threat Research

September 2010: Asprox Botnet, Network Sniffers Emerge

By Derek Manky | September 29, 2010

Our September 2010 Threat Report is up. Below is a recap of events.

Botnets continued to be hot on the malware scene, Sasfis being one of the major detections. The top three detections in our malware list this report indicate packed, malicious samples - most of which relate to Sasfis. On September 14th there was a surge in Sasfis activity - thanks to the Asprox spambot. Asprox has been around for some time, but has been quite silent over the past year. One of our systems tracking Sasfis showed that the botnet downloaded an Asprox spam module on September 14th for a seeding campaign. The emails contained zipped executable attachments, disguised as fax copies. This attachment was a copy of Sasfis, which would in turn download Asprox to send more spam on the freshly infected machine. Asprox downloads encrypted spam templates through HTTP, under the filename "COMMON.BIN".

One variant we analyzed from our third detection (W32/Katusha.MK!tr) downloaded a sniffer module which scans traffic on TCP ports 21, 25 and 110 (FTP, SMTP and POP3). Traffic on these ports would be processed by the module into encrypted data sets, and sent via HTTP POST to a command and control server located in Europe. Stolen FTP credentials can be quite valuable, often used to hijack web servers - for example overwriting content with injected IFRAMEs that redirect users to malicious pages. We also observed this hot variant to download the TotalSecurity Ransomware suite, keeping this dangerous infection high on the radar.

Over forty percent of our newly covered vulnerabilities were exploited / attacked this report, a notable jump from previous months. There was some small shuffling in our top ten attack list, with the exception of 'FreeType.CFF.Jailbreak.Apple.Device.Buffer.Overflow which jumped into fourth position this report. The vulnerability (CVE-2010-2972) is being used to jailbreak Apple iPhones through PDF files. The problem lies in the Compact Font Format, which is supported in popular document formats such as PDF. Of course, the interesting aspect of this attack is that it is often used intentionally to jailbreak devices. However, as with any vulnerability, a scenario could exist where an attacker could jailbreak a phone for malicious purposes.

Two vulnerabilities were patched for Apple Quicktime on September 15th, one of which was discovered by FortiGuard Labs ( FGA-2010-46). The other vulnerability (CVE-2010-1818) was a critical issue that bypassed DEP and ASLR protection technologies using Quicktime, disclosed on August 30th. There are in-the-wild flash samples trying to exploit this vulnerability. A Metasploit module was also developed on August 31st. The vulnerability was exploited in a zero-day state for over two weeks: patches can be found here in Quicktime 7.6.8. As of writing, Microsoft has also issued security advisories for two zero-day vulnerabilities: please follow our corresponding FortiGuard Advisories (FGA-2010-47 FGA-2010-48 for developments. Two zero-day Adobe vulnerabilities were also reported, with corresponding FortiGuard advisories (FGA-2010-43FGA-2010-45).

Join the Discussion