asprox

  • Asprox botnet advertising fraud - general overview 1

    Introduction


     Update!

    At the time this article was written, this type of ad-fraud bot was thought to be Asprox. Later, it was generally accepted that this ad-fraud bot was called "Rerdom" and usually packaged along side "Zemot" and possible "Rovnix". This ad-fraud system IS/WAS the primary ad-fraud bot of Asprox and Asprox was probably the primary user of Rerdom, but other botnets later used Rerdom, and Asprox was also known to use other ad-fraud bots (THL has seen Asprox use Asterope/Ropest and Fleervicet on rare occasions). Anyway, so you know, this Ad-Fraud system isn't organic or inherent to Asprox alone.  Ok, back to the article....


     

    In a previous article, I detailed almost a stream-by-stream run-down of one instance of an Asprox bot conducting fraudulent advertising traffic.

    Now that I've been swimming in this cool-aide for a couple months, I'm starting to figure out what flavor it is.

    This article is a generalized explanation of the process a Asprox bot will go thru when conducting advertising fraud so that other people can recognize the general form of network traffic if they see it.

    This also only applies to how Asprox botnet does ad fraud around the time this article was written. Looking back at November 2013 data, it seems the flow was entirely different. The documented flow in this article applies starting around December 2013 until Asprox decides to change again.

    Initial infection

    Asprox enlists Microsoft Windows PC's into its botnet through the use of a trojan that is often called Kuluoz or Dofoil.

    These trojans are sent via email in tricky malware-phishing emails of two types.  Link-style emails are usually sent from compromised servers, and have html links to other compromised web servers which have a proxy downloader script that provides an exe-in-zip trojan. Attachment-style emails are usually sent from other infected PCs, and the attachment is also an exe-in-zip trojan.

    Examples of these emails are:

    When a Windows user runs the kuluoz attachment, the machine becomes basically the property of the Asprox botnet.

    Initial Check-In

    The infected machine will contact yet-another compromised web server, usually on port 8080, and will POST and receive back some encrypted data. The mechanics of this check-in process are better explained by smarter people than I, and links to some great articles will be provided at the bottom of this write-up.

    If the bot is accepted by the botnet, typically the bot will try an smtp connection to some mail server like a Gmail SMTP server. If the bot finds that it has unobstructed spamming potential, the bot will contact another work-specific server for spamming instructions as detailed in this article.

    This article will focus on when the bot is assigned to conduct advertising fraud.

    Ad-fraud specific Check-In

    Empty shoe

    The bot will http to a domain like net-forwarding.com (December-ish 2013), net-translscl.com (January to mid-February 2014), or step-count10.com (mid-February onward). A simple GET request like:

    net-translscl.com/b/shoe/159
    net-forwarding.com/b/shoe/159
    step-count10.com/b/shoe/159

    Picture of bot trying net-translscl.com or net-forwarding.com to test connectivity.

    The response may be a 200 OK with no data, or a 404 not found. Either way, the bot now knows it can get to Ukraine. I'm just guessing obviously, but I never saw any other data exchanged.

    The domains were registered by a registrar called hosthost.biz (aka noc.su) and pointed to 193.105.210.113 in UKRAINE.

    Download an executable

    The bot then downloads an executable file, initially called "exe.exe" and renamed something like a  "Java Update" or "Flash Update" which is usually dropped in \appdata\temp or some place like that. This file often shows as some FakeAV in many anti-virus however, it never does any ransom-ware/scare-ware that you might expect from a Fake AV trojan. The running process will usually be named something like "Windows Defender".

    The executable is downloaded from a domain that changes every couple days at least, with a GET url that also changes every day or so. Examples (spaces added):

    31 Dec 2913 - pap-tech.com/media/video/
    12 Jan 2014 - news-online24.com/libs0.19/jquery/
    14 Jan 2014 - engl-evaline.com/libs1.19/jquery
    16 Jan 2014 - sugar-freez.com/libs9.81/jquery/
    19 Jan 2014 - king-orbit.com/libs/12.21/jquery/
    21 Jan 2014 - message-tvit.com/libs19.57/jquery/
    28 Jan 2014 - bee-smoka.com/libs29.89/jquery/
    31 Jan 2014 - vespula-grants.com/libs37.64/jquery/
    03 Feb 2014 - want-giftmore.com/libs41.898/jquery/
    05 Feb 2014 - hoegarden-beer.com/lib2.395/jquery/
    19 Feb 2014 - gorilla-w-glass.com//libs89/jquery/
    20 Feb 2014 - 212-lithium.com/libq3/jquery/

    Windows 7 will ask for allow/deny for a fake Java or Flash update. Allowing the execution will cause a reboot and the ad-bot can continue. Windows XP will just reboot and keep going.

    All these domains were registered under hosthost.biz (aka noc.su). The IP addresses were all around:

    109.163.239.243  Saulhost / Voxility 
    109.163.239.226 Saulhost / Voxility
    109.163.239.240 Saulhost / Voxility

    Those are all either Russia, Latvia, or Romania depending on which ip-geo you believe.

    Next-level check-in and a tight leash.

    The bot will have an ongoing exchange with several domains, using an Asprox-style HTTP POST with encrypted data back-and-forths.

    The domains include:

    kar-gen-pl1.net
    presto-uniel.com
    cioco-froll.com

    Some of the IP addresses these domains have pointed to include:

    79.165.232.233	RUSSIAN FEDERATION
    88.119.138.240 LITHUANIA
    77.123.7.73 UKRAINE
    188.0.143.112 UKRAINE
    46.211.218.127 UKRAINE
    176.8.136.212 UKRAINE
    178.137.8.215 UKRAINE
    77.121.41.163 UKRAINE
    109.120.15.198 RUSSIAN FEDERATION
    85.234.169.217 LATVIA
    89.252.9.160 UKRAINE
    79.111.92.215 RUSSIAN FEDERATION
    91.105.48.209 LATVIA
    188.254.235.254 BULGARIA
    93.171.79.119 UKRAINE
    176.194.202.124 RUSSIAN FEDERATION
    178.160.160.217 ARMENIA
    75.139.236.8 UNITED STATES

    The URLs  take the form of /b/something/24-hexadecimal-chars like

    /b/eve/D91AE031C618F3CAFB12AD9F
    /b/opt/81231CB7A8A58E2E32993FCE
    /b/req/91FDDB836AC788EB164A9E34
    /b/letr/22EFC6DFA0C289594A1E3D69

    The /b/eve GET will elicit an html "Hi!" response. The others will POST and reply with encrypted data of various lengths.

    A bot checking in with /b/eve and getting hi! response.

    These communications will happen periodically as long as the bot is running, and may use any of the domains interchangeably.

    Picture of bot checking in with /b/opt and POST encrypted data.

    What are they talking about? Probably exchanging lolcats.

    Download another binary file

    From the same host where the bot downloaded the "exe.exe" file, the bot will get soft32.dll or soft64.dll depending on the architecture of Windows, 32 or 64 bit. These files look like encrypted binary files, and have no interesting "strings" from the outside. I suppose the exe contains the logic to make use of this "dll" file.

    The dll URL isn't as fancy as the exe URL:

    28 Jan 2014 - bee-smoka.com/soft32.dll or/soft64.dll
    31 Jan 2014 - vespula-grants.com/soft32.dll or/soft64.dll
    03 Feb 2014 - want-giftmore.com/soft32.dll or/soft64.dll
    05 Feb 2014 - hoegarden-beer.com/r/soft32.dll or/r/soft64.dll
    19 Feb 2014 - gorilla-w-glass.com/l67/soft32.dll or something else

    The /r/ part started showing up on 5 February 2014. Then around mid February 2014, the url started getting kind-of randomized. I think the 64-bit "dll" file might have gone away also.

    Finally, time to DO WORK! - Fake "Search" Sites

    Now that all the setup is done, finally some the ad fraud stuff!

    The bot will start by visiting a series of totally bullshit "search" websites so that a PPC network can have traffic "referred" to it from something. I'm not sure WHY the bot visits these sites, as the "referer" header can just be used without actually going there, but the bots DO go there. These sites don't actually have links going to the PPC networks, nor to other sites, nor do they have functional "search" capabilities.

    Picture of an example fake ppc start point used for asprox botnet ad fraud.

    Most of these domains were registered under the registrar company "Public Domain Registry" up till the end of January 2014. A series of domain suspensions  lead to most of the domains now being registered under... guess? hosthost.biz (aka noc.su)!

    I've counted roughly 75 domain names (some good ones too!) from December 2013 to February 6 2014. About half were suspended before the switch from PDF to hosthost.biz. Domains include:

    art-gallery-new.com
    betafindgoeasy.net
    bubba-traff.com
    coopon-search.com
    ecig-search.net
    find-a-goodway.com
    find-the-goodway.com
    findagoodway.com
    finsear-teln.com
    forage-for-penguins.com <-- my personal favorite
    good-musical-service.com
    red-search2014.com
    start-search2014.com
    petr-search-hp.com
    vapor-sarch.com
    olympic-search.com <-- HTF did THAT happen?
    gp-search2014.com
    paralimp-search.com
    channel-search2014.com

    Again, they pretty much all point to or around Voxility / Saulhost in Russia / Latvia / Romania

    109.163.239.243
    109.163.239.226
    109.163.239.240

    I suppose a bot visiting the site tells the bot that the domain in still valid and thus it can be used for a referer down the PPC or affiliate chain.

    Down the PPC or affiliate chain

    Next, the bot will visit some site that I like to call the PPC director or PPC router. It takes an HTTP GET request that has a certain referer and hands back a 302 redirect to the appropriate (or chosen?) PPC or affiliate network.

    Picture of general idea of ppc or affiliate director in action, not to scale.

    "Oh, BS website 32? Ok, let me send you to Possibly-Shady PPC company 85", said great-get-bbl.com

    Picture of great-get-bbl routing various crappy referers to various ppc and affiliate networks.

    Some of the domains and IPs for the routing site include:

    regir-clk.com		37.221.168.34	saulhost / voxility    Germany
    eleah-bbc.com 37.221.168.34 saulhost / voxility Germany
    great-get-bbl.com 37.221.168.34 saulhost / voxility Germany
    tor-host.com 37.221.168.50 saulhost / voxility Germany

     You'd think someone would talk to saulhost about this. The bot will launch 5 to 10 "threads" (my term) of traffic that take the fake search site referer through the director, and on down the PPC chain to the ad-serving sites. After the batch of threads finishes, the bot starts over with another batch.

    The PPC / Affiliate stuff

    Once the "thread" hits the PPC / Affiliate mess, it becomes hard to tell where the criminals end and the legit companies begin. Most of these servers have no publicly-facing company to talk to about the IP addresses. Some of them do. Some are thankful for the data when they get it, others ignore it. I consider these to be "various levels of shady and legit". However, I don't think these are in the same boat as the fake search sites or the director site.

    Picture of ppc chain taking threads to ad sites.

    Some of these PPC / Affiliate hosts include:

    5.149.251.50
    74.50.103.15
    74.50.103.87
    184.107.129.74
    74.50.103.88
    216.172.63.115
    diprotector.com
    sindelclick.com
    204.27.56.91
    clickga.com

    Following the "thread" through the PPC / Affiliate chain can be a mixed bag of difficulty. Some of these companies use 302 redirects to get traffic to other companies, then to final sites. Some use Javascript redirects. Some involve 3 or more hops before getting to the ad-serving page. This is all up to the PPC / Affiliate companies and how they do their technology.

    An example of an easy one to follow, this one goes:  director --302-> ppc net --302-> ad site :

    Picture of network traffic capture that is easy to follow to ad-serving site.

    Because this PPC / Affiliate company uses 302 redirects and preserves the referer, it is easy to find out what ad serving site the bot went to. It is also easy for someone to tell the PPC network what referers are bots, and which affiliates are sending bots.

    In the cases where a network uses javascript or some other way to redirect, you have to do a lot of follow tcp stream and sometimes saving out the HTTP objects to examine where the bot went next.

    Additionally, these networks may be members of other networks, creating several levels of redirection of different types before a "thread" gets to an ad-serving site.

    Advertising-serving sites

    Each "thread" that starts with a fake search site will terminate either at an ad-serving site, some PPC company's honeypot, or simply be dropped before getting that far. Most of the threads in a batch will make it to some website serving ads.

    Picture of traffic capture of an asprox bot visiting sites with ads.

    When you see a lot of traffic like doubleclick, bidsystem, rfihub, adexchange, rubiconproject, lijit, pubatic, and other ad companies, those are all the ads being loaded.

    A few ad-serving sites I see a lot:

    videofactor.com
    bestmomstv.com <--someone told me mom-themed sites were common in the ad fraud game.
    smartmomstyle.com
    unlimiclick.com
    hgdiy.com
    sportsfascination.com
    blinkx.com
    travelfreak.com

    Even without clicking ads, someone has paid for the ad impression at this point. Another aspect to consider is that the site owners may be victims if they are paying for traffic or SEO results.

    What about the clicks? Everyone calls it click fraud!

    Unless you have visibility on the traffic and data inside the ad companies, it will be hard to distinguish clicks from all the other crazy Lumascape (et al) traffic you see. A page filled with ads will generate a lot of ad traffic. Most clicks are just HTTP GETs or POSTs with lots of data for validation... which looks a lot like all the other ad traffic.

    Often, though, you will find a site in your data that doesn't serve any ads. In this example, I found that my bot had visited broadviewuniversity.edu, to a page for requesting info on their business program.

    Picture of bot going to college.

    In these cases, you kind-of have to work backwards. Follow TCP Stream to figure out how you got there.

    Picture of how bot got to broadviewuniversity from jobsense.

    So the bot came from jobsense.com...

    Picture of network traffic showing the asprox bot going from jobsense to broadviewuniversity thru an msn ad.

    ...because of a click on an ad from the MSN ad network. You can even see that the jobsense.com "thread" started with local-search.biz, one of the fake "search" websites.

    So there you have it.

    This article has explained in general terms how the Asprox botnet conducts ad fraud. This may consist of PPC or referral fraud, impression laundering, and click-fraud. It may also include SEO fraud, but none of the ad-serving site owners would respond to my questions so I have no data on that.

    This shows the general flow and can help you all recognize what is happening at a glance. Which beats doing "follow TCP stream" one stream at a time for 1000 streams (which I did the first time).

    More information on the Asprox Botnet.

    Some very good work has been done on this topic, by people far smarter people than I.

    Herrcore, pretty much a total badass, wrote this on the Kuluoz / Dofoil trojan and Asprox.

    Kimberly, who I still suspect is Russian Mafia, has been working on Asprox too.

    Rebus Snippets / Michal Ambroz saved my life one day with his Asprox Malware As A Service article.

  • Asprox botnet trojan run - advertising fraud 1

    The Asprox Botnet


    Update!

    At the time this article was written, this type of ad-fraud bot was thought to be Asprox. Later, it was generally accepted that this ad-fraud bot was called "Rerdom" and usually packaged along side "Zemot" and possible "Rovnix". This ad-fraud system IS/WAS the primary ad-fraud bot of Asprox and Asprox was probably the primary user of Rerdom, but other botnets later used Rerdom, and Asprox was also known to use other ad-fraud bots (THL has seen Asprox use Asterope/Ropest and Fleervicet on rare occasions). Anyway, so you know, this Ad-Fraud system isn't organic or inherent to Asprox alone.  Ok, back to the article....


     

    *note* This was a hastily-written article that focuses on one instance, stream by stream. for a more generallized explanation of Asprox botnet ad fraud, see General Overview 1.

    The Asprox Botnet is a network of infected computers, compromised servers, and command and control systems which allows the owners to use the infected computers for whatever purpose they like.

    The malware used to gain control of computers is often called Kuluoz or Dofoil.

    One use for the infected computers is to distribute more malware, to grow the botnet.

    Another use is for advertisement fraud, eg: click fraud, referral fraud, and impression laundering. This post is intended to document one instance of advertisement fraud I found while experimenting with a Kuluoz/Dofoil trojan.

    For more information on Asprox as a system:

    Herrcore's article: Inside Asprox / Kuluoz Oct-Dec 2013

    Kimberly's article: StopMalvertising: Analysis of Kuluoz Asprox encryption

    Michal's article: Asprox Malware Phishing As A Service

    Trend Micro's article: Asprox reborn [PDF]

    The initial trojan

    The trojan came from a fake "Notice to Appear" court email, in the skadden.com / Skadden, Arps, Slate, Meagher & Flom version that I got on 29 December 2013.

    Raw email: http://pastebin.com/j0rK0pPi  (To: domain name changed)

    Court_Notice_NY_Meagher_and_Flom.exe : VirusTotal report | Malwr report

    These Asprox botnet trojans are often called Kuluoz and Dofoil.

    On 31 December 2013, I ran the trojan.

    This was actually my 3rd clickbot/adbot. It is just VERY time-consuming to comb through the data and make sense of it.

    Time-line of network traffic

    I was smarter this time around with the network capturing. I actually started the capture pretty much when I double-clicked the exe file.

    All traffic here is http unless otherwise specified. And referer and referrer are used interchangeably so don't get all wrapped up on that.

    0 seconds  103.14.200.33:8080/BF5B25D931...  POST encrypted x-www-form-urlencoded data and received about a 60k encrypted response.

    2.84  net-forwarding.com/b/shoe/159 GET and got a 404 Not Found nginx response. net-forwarding.com was at 193.105.210.113.

    9.58  net-forwarding.com/b/shoe/159 GET and got a 404 Not Found nginx response. Again.

    9.98  pap-tech.com/media/video/ GET and received about 167k response, Content-Disposition: attachment; filename=exe.exe | VirusTotal report on this exe file. pap-tech.com was at 109.163.239.246.

    15-ish seconds : computer reboots

    101.22 pap-tech.com/soft32.dll GET and received about 109k response, Content-Type: application/x-msdos-program. GNU/Linux "files" reports file to be "data", "strings" shows no usable info | VirusTotal report.

    103.54  kar-gen-pl1.net/b/eve/90341462bab59bfe35e09712 GET and received a Connection: keep-alive "hi!" response. kar-gen-pl1.net was at 176.73.253.215.

    158.45  kar-gen-pl1.net/b/opt/DBB29800B8F9EB9F92786403 POST 178 bytes of encrypted  content, received about 149 bytes of encrypted content in response. kar-gen-pl1.net this time pointed to 37.122.25.15.

     then, 8 more back-and-forth posts and encrypted data responses, last one starts around 329.80 seconds. All of these are to kar-gen-pl1.net at 37.122.25.15.

    330.98 Fake website traffic starts.A series of cookie-cutter face search websites, all on the same IP, 109.163.239.246,  as pap-tech.com where the trojan updated itself.

     just-get.com
    search-cool.com
    listsaudiocname.com
    findthegoodway.com
    papfind.net
    finditrightway.com
    marketing-nowsearch.com

      .. up to around 335.86, the infected hosts finished up loading the css and images for the fake search pages.

    335.86  A bunch of calls to regir-clk.com with the fake search pages as the Referer (Referrer), which are 302 redirected to different places. regir-clk.com was at 37.221.168.34. We will call these the first-level 302 redirects.

      regir-clk.com with referer: listsaudiocname.com gets 302 Moved Temporarily to   74.50.103.13

      regir-clk.com with referer: finditrightway.com  gets 302 Moved Temporarily to 216.172.63.115/...

      regir-clk.com with referer: search-cool.com gets 302 Moved Temporarily to n.clickga.com/...

      regir-clk.com with referer: findthegoodway.com gets 302 Moved Temporarily to 1928705294.xml.diprotector.com/...

      regir-clk.com with referer: just-get.com gets 302 Moved Temporarily to 74.50.103.14/...

      regir-clk.com with referer: papfind.net gets 302 Moved Temporarily to n.clickga.com/...

      regir-clk.com with referer: marketing-nowsearch.com gets 302 Moved Temporarily to 74.50.103.89/...

    396.52  The first-level 302 redirects start loading.

      1928705294.xml.diprotector.com/... with referer: findthegoodway.com gets 302 Moved Temporarily to www.unlimiclick.com/andi

     74.50.103.13/... with referer: listsaudiocname.com gets 302 Moved Temporarily to c.t.c.adlinker.net/...

      74.50.103.14/... with referer: just-get.com gets 302 Moved Temporarily to c.t.c.adlinker.net/...

      216.172.63.115/... with referer: finditrightway.com gets 302 Moved Temporarily to c4.findology.com/...

      n.clickga.com/... with referer: papfind.net gets 302 Moved Temporarily to clickered.com/...

      n.clickga.com/... with referer: search-cool.com get 302 Moved Temporarily to xml.digitaltrafficgroup.com/...

      74.50.103.89/... with referer: marketing-nowsearch.com gets 302 Moved Temporarily to c.t.c.adlinker.net/click/...

    336.406 The second-level 302 redirects start loading.

      www.unlimiclick.com/andi GET with Referer:  findthegoodway.com and gets a 200 OK response with html that creates the most God-awful website that contains nothing but advertisements and popups of more advertisements. Complete garbage ad-fraud site.  Patebin here. This causes calls to ads.clicksor.com/newServing/showAd.php?nid=1&pid=3181... and much more.

      c.t.c.adlinker.net/click/... with referer: listsaudiocname.com gets 302 Moved Temporarily to  www.bettermoms.com/category/parenting/?utm_source=732&utm_medium=cpc&utm_campaign=732&utm_content=26346

      c.t.c.adlinker.net/click/... with referer: marketing-nowsearch.com gets 302 Moved Temporarily to hgdiy.com/category/cooking/...utm_content=26347...

      c.t.c.adlinker.net/click/... with referer: just-get.com gets 302 Moved Temporarily to  hgdiy.com/category/cooking/...utm_content=27850...

      c4.findology.com/... with referer: finditrightway.com gets 302 Moved Temporarily to  7979-69504_159.c.adprotect.net/... ..www.findaset.com....

      xml.digitaltrafficgroup.com/... with referer: search-cool.com gets 302 Moved Temporarily to  thesmallbusinessbuilder.com

     clickered.com/... with referer: papfind.net gets an HTML + Javascript response with a JS browser redirect to boroughfind.com/... This happened multiple times.

    336.78 The third-level 302 redirects start loading.

      hgdiy.com/category/cooking/?utm_source=732&utm_medium=cpc&utm_content=27850&utm_campaign=732 with the just-get.com referrer produces a website for the . It kind-of looks suspicious to me. Another hgdiy.com page-load happens for utm_content=26347 for the marketing-nowsearch.com referrer.

      www.bettermoms.com/category/parenting/?utm_source=732&utm_medium=cpc&utm_campaign=732&utm_content=26346 with referer: listsaudiocname.com responds with a website. It is filled with BS copy-pasta articles and advertisements.

    337.154  7979-69504_159.c.adprotect.net/... with referrer: finditrightway.com gets html and javascript response that makes it request something from adprotect.net that THEN gives a 302 Moved Temporarily to www.findaset.com/click.php...

    337.75 The finditrightway.com thread with findaset.com goes back and forth a couple times then gets 302 Moved Temporarily to Location: search.answers.com/click.php?...

    338.095 bettermoms.com thread starts traffic to ad network companies for listaudiocname.com referrer:

    adserve.postrelease.com,     ad1.adtitan.net, ib.adnxs.com,     q1mediahydraplatform.com
    cdn1.skinected.com, objects.tremormedia.com, partner.googleadservices.com
    pagead2.googlesyndication.com, img1.cdn.adjuggler.com, hollywire.rotator.hadj1.adjuggler.net, bid.pubmatic.com
    yorick.adjuggler.net, ads.pubmatic.com, rtax.criteo.com, cdn.fastclick.net, media.fastclick.net, dotomi.com
    ... beacons, tracking pixels, syncs, matches, and clicks.

    Picture of wireshark caputure of ad traffic for bettermoms.com, possibly botnet fraud.

    338.359 search.answers.com/click.php?...  part of the finditrightway.com thread.

    338.406 a whole mess of clicksor.com / unlimiclick.com junk. part of the findthegoodway.com thread.

    338.662 search.answers.com/go.php?to=qnc3.. from the finditrightway.com thread gets 302 Moved Temporarily to Location: http://www.SmartAsk.com/video/989.html?query=null&sour... which gets 302'ed again to www.smartask.com/video/989.html. smartask.com starts loading stuff from all over.

    340.03 thesmallbusinessbuilder.com starts with referrer: search-cool.com. It is filled with BS copy-pasta articles and advertisements.

    340.056 the hgdiy.com thread starts traffic to ad network companies. It was hard to tell which referrer but utm_content=26347 was the marketing-nowsearch.com referrer. Ad company contacts, like a LumaScape salad:

    a.postrelease.com,    edge.quantserve.com,    flx365.lporirxe.com, lax1.ib.adnxs.com (MANY), 
    outbrain.com (MANY), ad.afy11.net (MANY), b.scorecardresearch.com (MANY), r.nexac.com
    db.outbrain.com (MANY), gumgum.com, x.bidswitch.net (MANY), ip.casalemedia.com (several),
    sync.mathtag.com, dtm.potterybarnkids.com, ads.rubiconproject.com, pubmatic.com
    ca.d.chango.com, node-p1e-h1me3o.sitescout.com, showads.pubmatic.com, bh.contextweb.com
    sync.gumgum.us-east.zenoviaexchange.com, bidder-us-east-3.tlvmedia.com
    ... beacons, tracking pixels, syncs, matches, and clicks.

    Picture of wireshark caputure of ad traffic for hgdiy.com, possibly botnet fraud.

    340.29 the hgdiy.com thread starts traffic to ad network companies. Since utm_content=27850, I could link that to the just-get.com referrer.

    a.postrelease.com,    edge.quantserve.com,    flx365.lporirxe.com, lax1.ib.adnxs.com (MANY), 
    outbrain.com (MANY), ad.afy11.net (MANY), b.scorecardresearch.com (MANY), r.nexac.com
    db.outbrain.com (MANY), gumgum.com, x.bidswitch.net (MANY), ip.casalemedia.com (several),
    sync.mathtag.com, dtm.potterybarnkids.com, ads.rubiconproject.com, pubmatic.com
    ca.d.chango.com, node-p1e-h1me3o.sitescout.com, showads.pubmatic.com, bh.contextweb.com
    sync.gumgum.us-east.zenoviaexchange.com, bidder-us-east-3.tlvmedia.com
    ... beacons, tracking pixels, syncs, matches, and clicks.

    340.057 that crappy unlimiclick.com site with referrer: findthegoodway.com is going crazy

    ads.clicksor.cn/newServing/banner_frame.php?....

    340.672 smartask.com/video/989.html from the finditrightway.com referrer thread starts traffic with ad network companies.

    pixel.quantserve.com
    like 92k worth of round trips of quantserve with various referrers.

    340.707 the thesmallbusinessbuilder.com thread starts traffic to ad network companies. This started with the search-cool.com referrer.

    cm.g.doubleclick.net (many),     googleads.g.doubleclick.net (many),    landsraad.cc
    reviewmaster.org, pagead2.googlesyndication.com, ad-ace.doubleclick.net,
    bid.g.doubleclick.net, 2mdn.net

    Picture of wireshark caputure of ad traffic for thesmallbusinessbuilder.com, possibly botnet fraud.

     342.86 boroughfind.com/...with referrer: clickered.com/... which started with papfind.com gets javascript redirected to boroughfind.com/search which looks like a bullshit site full of ads.

    Picture of the flow of redirects to the adfraud and clickfraud websites, iteration 1.

    Once the bot is at the junk site filled with ads, a lot of ad traffic happens.

    So is this "click fraud"?

    It is VERY hard to get Internet advertising companies to look at my data and say "yes, that is what a click looks like". Believe me, I've tried. At a minimum, there are page-loads going on in which impressions are recorded. One advertising company gave me the neat term "impression laundering", which is happening here at a minimum. However, yes, there are clicks going on, though I don't we can tell how many are valid or accepted.

    Around 812 seconds into the asprox trojan run, THE WHOLE PROCESS STARTED OVER!

    Fake search sites:

    howcaniask.com
    local-find.us
    local-find.com
    zetaaskquestion.net
    search-name.net
    property-search.us
    papasearc.com

    howcaniask.com -> regir-clk.com -> 216.172.63.115 -> findology.com -> adprotect.net -> welcome.luxurylink.com... something with www.shopitaway.com back to adprotect... it gets kinda crazy there.

    local-find.us  -> regir-clk.com -> 74.50.103.89 -> c.t.c.adlinker.net -> sportsfascination.com (utm_content=26347)

    local-find.com -> regir-clk.com -> diprotector.com -> www.unlimiclick.com/andi2

    zetaaskquestion.net -> regir-clk.com -> 74.50.103.15 -> c.t.c.adlinker.net -> sportsfascination.com (utm_content=27850)

    search-name.net -> regir-clk.com -> n.clickga.com -> clickered.com -> reinvestfind.com

    property-search.us -> regir-clk.com -> n.clickga.com -> mediastinct.com -> admarket.me -> reality-prophet.com -> www.mytopvideos.com

    papasearc.com -> regir-clk.com -> 74.50.103.14  -> c.t.c.adlinker.net -> globaltravelbuzz.com

     The process was starting again at around 860 seconds but I was shutting down the machine. I did get these fake search sites though:

    search-a-goodway.com
    cantfindthething.com
    instantly-search.net
    search-name.net
    cantfindthething.com

    ... and they were all being run through regir-clk.com when the machine stopped.

    The contacts:

    These were the IP addresses at the time, not as they are now. Many hosts have moved or been shut down already.

    These are just some of the fraud sites and botnet hosts:

    103.14.200.33 - The initial phone-home / check-in, to port 8080. An Australian hosting provider "Hire a Tech Guy" / "Nerdster". This is probably a compromised web server, just like the gunnebojohnson.com host from the Asprox spammer 1 article.

    net-forwarding.com - The second location the infected bot tried gave a 404 Not Found. It resolved to: 193.105.210.113 when run, and when article was written.

    Domain registration info - net-forwarding.com:
    Admin / Tech : Nikolay Yu Petrov vasya @mail.ru
    prospekt lenina 34-109, Norilsk,Krasnoyarksya,RU 109809

    IP info:
    193.105.210.113 Ukraine
    netname: ISPHOST
    person: Budko Dmutro

    pap-tech.com - The trojan downloaded 2 files from here before the ad fraud started. And like an IDIOT I reported this domain before I got much data. Now it doesn't resolve. ): But in any case, at the time it was at 109.163.239.246.

    Domain registration info - pap-tech.com:
    Admin / Tech : Nikolay Yu Petrov vasya @mail.ru
    prospekt lenina 34-109, Norilsk,Krasnoyarksya,RU 109809

    IP info:
    109.163.239.246 Russia
    netname: Voxility / Saulhost Hosting

    kar-gen-pl1.net - The trojan had about 10 http round-trips of encrypted data with this. However, there seems to be a dns round-robin. The first time it resolved to 176.73.253.215 and the other 9 times it was at 37.122.25.15. lar-gen-pl1.net had the following identical A records for round-robining, shows with Geo-IP and network owners:

    109.120.15.198		Russia		omkc.ru
    85.234.169.217 Latvia baltcom.lv
    89.252.9.160 Ukraine freenet.com.ua
    79.111.92.215 Russia ti.ru
    91.105.48.209 Latvia lattelecom.lv
    188.254.235.254 Bulgaria bulsat.com
    93.171.79.119 Ukraine alfatelecom.cz
    176.194.202.124 Russia ti.ru
    178.160.160.217 Armenia beeline.am
    75.139.236.8 USA charter.net (No shit)

       At the time of running, kar-gen-pl1.net listed the following NS records:

    ns1.ligag.ru
    ns2.ligag.ru
    ns3.ligag.ru
    ns4.ligag.ru

    I'm sure this info is of no use:

    Domain name: kar-gen-pl1.net
    Administrative Contact:
    Name: Douglas L. Guerrier
    Organization: N/A
    Address: 4053 Cooks Mine Road
    City: Santa Fe
    Province/state: NM
    Country: US
    Postal Code: 87501
    Phone: +1.5056992982
    Fax: +1.5056992982
    Email: DunphySydnied @gmx.com

    just-get.com - the fake search website. All the fake search sites looked the same.

    Picture of apsrox botnet click fraud start point, fake search page calles just-get.com.

     just-get.com resolved to 109.163.239.246.

    Domain info: just-get.com
    Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
    Registrant Email: contact @privacyprotect.org

    IP info:
    109.163.239.246 Russia
    netname: Voxility / Saulhost Hosting

    Uh oh! That fake search site is on the SAME IP as the pap-tech.com, where the infected computer downloaded two files from before the fake websites started!

    search-cool.com - Fake search website.

    Picture of apsrox botnet click fraud start point, fake search page called search-cool.com.

     search-cool.com resolved to 109.163.239.246. Same as pap-tech.com!

    Domain info: search-cool.com
    Administrator:
    name:(Alexey A Sidorov)
    mail:(security2guard @gmail.com) +7.4958009823
    Alexey A Sidorov

    IP info:
    109.163.239.246 Russia
    netname: Voxility / Saulhost Hosting

    listsaudiocname.com - fake search website.

    Picture of apsrox botnet click fraud start point, fake search page called listaudiocname.com.

     listaudiocname.com resolved to 109.163.239.246. Same as pap-tech.com!

    Domain info: just-get.com
    Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
    Registrant Email: contact @privacyprotect.org

    IP info:
    109.163.239.246 Russia
    netname: Voxility / Saulhost Hosting

     

    findthegoodway.com - 109.163.239.246 like pap-tech.com

    Domain info: just-get.com
    Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
    Registrant Email: contact @privacyprotect.org

    IP info:
    109.163.239.246 Russia
    netname: Voxility / Saulhost Hosting

    papfind.net - 109.163.239.246 like pap-tech.com

    Administrator:
    name:(Alexey A Sidorov)
    mail:(security2guard @gmail.com) +7.4958009823
    Alexey A Sidorov

    IP info:
    109.163.239.246 Russia
    netname: Voxility / Saulhost Hosting

    finditrightway.com - 109.163.239.246 like pap-tech.com

    Registrar: PDR Ltd. d/b/a PublicDomainRegistry.com
    Registrant Email: contact @privacyprotect.org

    IP info:
    109.163.239.246 Russia
    netname: Voxility / Saulhost Hosting

    marketing-nowsearch.com - 109.163.239.246 like pap-tech.com

    Administrator:
    name:(Alexey A Sidorov)
    mail:(security2guard @gmail.com) +7.4958009823
    Alexey A Sidorov

    IP info:
    109.163.239.246 Russia
    netname: Voxility / Saulhost Hosting

     

     

    www.bettermoms.com- A site that served ads for the bot. It was at 72.21.91.19.

    Picture of bettermoms.com that served ads for the asprox bot.

     ... You can google every article on that site and find it copy-pasta all over the low-grade internets. Lots of ads though.

    Domain info:
    Registrar: GoDaddy.com, LLC
    Registrant Organization: Domain Discreet Privacy Service

    IP info:
    OrgName: EdgeCast Networks, Inc.

    hgdiy.com- A site that served ads for the bot, for two referrers: just-get.com and marketing-nowsearch.com. The site was at wa.

    To be honest, I am on the fence about this site. The articles don't Google all over the place. This MAY be a legit site getting targeted (like I will probably be), or a site that made a bad deal to "increase traffic" with the wrong SEO dudes. In ANY CASE, this site served ads to the Asprox bot, and the bot clicked them. Heck, it could even be a straight-up click-fraud site but with real content, which is nice.... I guess?

    Domain info:
    Registrar: GoDaddy.com, LLC
    Admin Name: Jimmy Hutcheson
    Admin Organization: Hutch Media, LLC

    IP info:
    OrgName: SoftLayer Technologies Inc.

    thesmallbusinessbuilder.com - A site that served ads for the bot. The site was at 74.208.123.87.

    Picture of thesmallbusinessbuilder.com that served ads for the asprox bot.

      Again, nothing but copy-pasta articles found all over the internet.

    Domain Info:
    Registrar: 1&1 Internet AG
    Admin Name: Oneandone Private Registration

    IP Info:
    OrgName: 1&1 Internet Inc.

    sportsfascination.com - Kind of like hgdiy.com because the articles don't Google all over the place. But it does look a little cookie-cutter. It was at 192.155.199.88. Which was right next to hgdiy.com.Picture of sportsfascination.com that served ads for the asprox bot.

    Domain info:
    Registrar: GoDaddy.com, LLC
    Admin Name: Jimmy Hutcheson
    Admin Organization: Hutch Media, LLC

    IP info:
    OrgName: SoftLayer Technologies Inc.

    globaltravelbuzz.com - copy-pasta articles and advertisements. It was at 72.21.91.19.

    Picture of globaltravelbuzz.com that served ads for the asprox bot.

    Domain info:
    Registrar: GoDaddy.com, LLC
    Registrant Organization: Domains By Proxy, LLC

    IP info:
    OrgName: EdgeCast Networks, Inc.

    How can I do this?

    Get yourself a Windows computer, a late-model Kuluoz / Dofoil trojan, an ethernet switch with a mirror port / monitor port setup, and tcpdump / wireshark / whatever the traffic with a second computer. Then waste a weekend.

    If you see lots of http traffic, you *probably* have a clickbot.

    In the above examples, it started with five to seven fake "search" websites.

    Then, the fake site will be in the referrer for a few hops. You just follow it. Using wireshark display filters:

    http.host contains fakesite.com

    ...gives me the page load of the fakesite.com. Not that usefull... since you already know fakesite.com by now.

    http.referrer contains fakesite.com and not http.host contains fakesite.com

    ... gives me a list of packets where the referrer was fakesite.com but the site isn't. Pick the first packet in the list. Follow stream. If the TCP stream in that list gave me 302 to host: regir-clk.com then:

    http.referrer contains fakesite.com and http.host contains regir-clk.com

    ... gives me the response regir-clk.com gave for that referrer. Perhaps it gave back a 302 to adlinker.net, keeping fakesite.com as the referrer.

    http.referrer contains fakesite.com and http.host contains adlinker.net

    On down the chain you go. Like a depth-first search. Following TCP Stream each time.

    Or just go one stream at a time.

    Warning: once the "thread" hits the LumaScape salad (you will know it when you start seeing it), you've probably one far enough.

    Does this mean these websites are dirty?

    No, not at all. All the data shows is that the infected computer visited these sites in this order. And some of the extra round-trips in the LumaScape salad are clicks.

    The bots could be there on behalf of some shady SEO company who promised the website owners some magic. The bots could be there to create random traffic to disguise the real traffic. This is beyond the scope of this post.

    So hgdiy.com et al could be fine. Ad companies will have to look at their data and figure that all out. However, data like this could provide ad companies with a list of suspicious sites to take a harder look at.

    regir-clk.com and all those Russian fake search websites? Yeah... those are dirty as shit.

    But how does Asprox make money?

    Heck if I know.

    Either the botnet owners are really running the entire ad fraud system, or they are paid to "do work" by others. Maybe something else entirely.

    Only if someone follows the money (Ad companies, Law Enforcement) will we ever know.

    A word about the ad companies

    It is important to note that there are many legitimate companies in this chain. The stuff between regir-clk.com and the final site with the advertisements, I still have to figure out who those guys are and what they have to say.

    The stuff after the final site with the ads, the DoubleClick stuff, and all the LumaScape stuff... Those are real companies. And in the FEW times I've actually gotten a hold of a real person at those companies they have been very receptive and even very helpful.

    Maybe one day, if their bosses / lawyers / marketers approve, I will be able to thank some of these people here because without their help deciphering the ad traffic I would have been quite lost.

    Even if your bosses say no, thank you to all the ad company people who clued me in!

    Summary

    All I did was run a trojan horse, capture the data, and document my findings here.

    I will gladly give a copy of my PCAP data to ad companies, hosting providers, domain registrars, or security researchers known to me or someone I know.

    As far as I know, there are only 2 ways to rid the world of malware, botnets, and spam:

    One is by physical force; ie. law enforcement, arrests, prosecutions, and jails. Ad fraud is one of the FEW places where real companies hand real money to criminals. Perhaps if SOMEONE followed the money a little, they might be able to unmask the criminals.

    The other is to change the economics; Look at this ONE example I have posted. How many IP addresses and domains are involved? How much talent, code, and ingenuity goes into this? CLEARLY there must be money being made here.

    By running trojans and gathering data, ferreting out the frauds and refusing to pay them for their bad clicks and impressions, we may be able to help change the economics to make malware less attractive.

  • Details of your order from Best Buy - Asprox Malware

    Email:

    Fake Best Buy virus spam email claims they recieved an order addressed to you which has to be confirmed with the attached file.

    Attached .zip contains a malware executable from the Asprox botnet.


    Subject: Acknowledgment of Order
    Subject: Details of your order from Best Buy
    Subject: Thank you for buying from Best Buy
    Subject: Order Status
    Subject: Thank you for your order

     E-shop Best Buy has received an order addressed to you which has to be confirmed by the recipient within 4 days. 
    Upon confirmation you may pick it in any nearest store of Best Buy.

    Detailed order information is attached to the letter.

    Wishing you Happy Thanksgiving!

    Best Buy

    BestBuy_Order_ID_0408070MN.zip (127)

    Header Examples:

    Spoofs random stuff in From and Envelope (MAIL FROM) headers and HELO connection string, but consistent per email.

    Received: from ascii-store.com ([204.113.202.75]
    X-Envelope-From: order @ascii-store.com
    From: "Best Buy" <order @ascii-store.com>
    Subject: Acknowledgment of Order

    Received: from themanagedcarestore.com [173.9.122.249]
    X-Envelope-From: manager @themanagedcarestore.com
    From: "Best Buy" <manager @themanagedcarestore.com>
    Subject: Details of your order from Best Buy

    Received: from beaverdamstore.com [24.239.228.45]
    X-Envelope-From: order @beaverdamstore.com
    From: "Best Buy" <order @beaverdamstore.com>
    Subject: Thank you for buying from Best Buy

    Received: from drycleaningstore.com (114.242-net.sccoast.net [66.153.242.114]
    X-Envelope-From: manager @drycleaningstore.com
    From: "Best Buy" <manager @drycleaningstore.com>
    Subject: Thank you for your order

    Asprox emails with attachments almost always come from infected windows bots, as opposed to emails with url links, which come from compromised web sites. A fun artifact of the pc-sent asprox spam is that the windows hostname or netbios name is in the message ID header:

    Message-ID: <002...de34464a8c0 @JoannShannon-PC>
    Message-ID: <00...6ff1d466f0a @ROYAL-CITRIX05>
    Message-ID: <00250...34a59835e895064 @MinPC>
    Message-ID: <000b0...d80401a8c0 @Owner-PC>
    Message-ID: <002a0...1bca80a010a @5733-PC>

    Malware

    17 December 2014

    Attachment : BestBuy_Order_ID_0408070MN.zip containing BestBuy_Order.exe

    VirusTotal report 

    Ad-Aware 		Gen:Variant.Strictor.72854
    Avast Win32:Malware-gen
    BitDefender Gen:Variant.Strictor.72854
    DrWeb BackDoor.Kuluoz.4
    ESET-NOD32 Win32/TrojanDownloader.Zortob.H
    Emsisoft Trojan.Agent.BGWS (B)
    Fortinet W32/Zortob.H!tr
    GData Gen:Variant.Strictor.72854
    McAfee Kuluoz-FABB!2844FE2DB000
    Norman Kuluoz.JY

    Malwr.com report

    Performs some HTTP requests
    The binary likely contains encrypted or compressed data.
    Executed a process and injected code into it, probably while unpacking
    Steals private information from local Internet browsers
    Installs itself for autorun at Windows startup

     If this was at least a little helpful, how about a +1, Like, or Tweet?


     E-shop Best Buy has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Best Buy. 

  • Facebook password change - Asprox Malware

    Email:

    Fake Facebook virus spam email claims your password was reset due to suspicious activity on your account.

    Link goes to malware download sites.

    This is another email template for the Asprox botnet to spread malware.


    Subject: Facebook password change

     Hi, 

     Your Facebook password was been reset on Thursday, December 11, 2014 at 03:48PM (UTC) due to suspicious activity of your account.

     Operating system: [ some operating system ]
     Browser: [ some browser ]
     IP address: [ some ip address ]
     Estimated location: [ some location city, state, zip, etc ]  

     To restore the password complete this form, please, your request will be considered within 24 hours.

     Thanks,
     The Facebook Security Team
        Facebook, Inc., Attention: Department 425, PO Box 10005, Palo Alto, CA 94303

    Picture of fake facebook email adout password reset from asprox botnet.

    The IP address and Estimated location fields just come with the email template, each batch of emails gets a different template. They don't mean anything.

     Hi, 

    Your Facebook password was been reset on Thursday, December 11, 2014 at 05:09PM (UTC) due to suspicious activity of your account.

    Operating system: IOS
    Browser: Opera
    IP address: 165.149.137.72
    Estimated location: Tahoe Valley, CA, US

     

     Hi, 

    Your Facebook password was been reset on Thursday, December 11, 2014 at 06:24PM (UTC) due to suspicious activity of your account.

    Operating system: Android
    Browser: Mozilla Firefox
    IP address: 164.12.172.103
    Estimated location: Rochester, NY, US

    A list of some of the "estimated locations" I have found on these emails:

    Walker, WV, US
    Rochester, NY, US
    Astoria, OR, US
    Lehigh Acres, FL, US
    Philo, CA, US
    Blanchard, PA, US

    ... and many more.


    Header Examples:

    Spoofs random stuff in the From headers. The Envelope (MAIL TO:) headers pick up the hostname of the compromised web server that is sending the email.

    Received: from demo.onlinehorizons.net [38.111.46.90]
    X-Envelope-From: amrtest @demo.onlinehorizons.net
    From: "Facebook" <notification @test.use-trade.com>
    Subject: Facebook password change

    Received: from vps.assamcompany.com [209.140.28.78]
    X-Envelope-From: countmei @vps.assamcompany.com
    From: "Facebook" <notification @countmeinconference.org>
    Subject: Facebook password change

    Malware

    11 December 2014 

    Link to malware download URL

    The Link will point to a URL on a compromised web server. The download php file will check your user agent (to make sure you are using windows + IE) and your IP address (to make sure you didn't try to many times like a malware researcher). If the conditions are right, you will be handed back a zip file (which actually is only proxied by the compromised server). The zip will contain an exe trojan which joins your computer to the Asprox botnet. Links are like:

    actmedya.com/files.php?fb=omlMzi0VFm4K3/Z5bgwySgHd1lMuAeG0YKdSsOqxi04=
    v3f.fr/gallery.php?fb=HblUFXFnmzjRM8+cb4ws0X...
    xilicate.com/press.php?fb=M3YM8JIRClwqRNGgFD...
    truel.net/tmp/model.php?fb=3JSihGcw4g6Ysm5Injb+4...
    tuxedofarms.com/functions.php?fb=so+JcsXPpnZfCQlsSNcTLAe1...
    theindustriegirl.com/css.php?fb=NqZS/mAQatHQiSXH1...
    trecho.com.uy/tmp/model.php?fb=dDCsXFoDtUnJGUlgz5...

    There will be about 100 compromised websites per day used for Asprox downloader locations. The malware isn't actually stored on those servers, but downloaded THROUGH them from another server. Notice the fb= GET parameter for this specific campaign. Others include fdx for fake Fedex Emails and vib for the Viber series.

    The EXE can have a unique hash every single 3 minutes, every 6 minutes, a couple times a day, or sometimes the same EXE will be used all day long.

    Each EXE will come with 5 to 10 IP addresses to try to report to for updates and instructions.

    The most commonly-accepted name for this Asprox trojan is "Kuluoz". If you are using a different name, you and I can never be friends.

    Downloaded file : FB_Password_Reset_Form.zip containing FB_Password_Reset_Form.exe 

    VirusTotal report 

    Avast 		Win32:Malware-gen
    CMC Packed.Win32.TDSS.2!O
    Comodo TrojWare.Win32.Kuluoz.EMK
    Cyren W32/FakeAlert.5!Maximus
    F-Prot W32/FakeAlert.5!Maximus
    Qihoo-360 Malware.QVM10.Gen

    Malwr.com report 

    Since this sample didn't play so well on the above sandboxes, I ran it myself:

    Classic icon flavor.

    Picture of icon of executable from asprox email.

    Behavior:

    Injected to svchost.exe
    svchost.exe had mutex aa[username]
    Attempted to check in with c2 infrastructure at:
    109.234.156.84:8080
    133.242.54.221:443
    162.255.86.196:8080
    208.81.237.99:8080
    70.32.100.120:8080
    93.189.94.42:443
    94.23.33.107:8080

    Those IP addresses are generally compromised servers acting as a command and control proxy. As they are cleaned up, each new exe will likely come with a few new IP addresses and drop the dead ones. After a couple months, it will be rare for another Kuluoz trojan to come with any of the same IP addresses.

    What happens after your computer joins the Asprox botnet?

    Your computer will be used for whatever they want to use it for.

    Popular choices are adfraud, several methods of stealing passwords [1] [2] , sending more malware spam, and anything they want to do. They are like a stolen-computers-as-a-service provider.

    The fun new thing (which was old, and just came back) is the Fake Antivirus push described by Brad from malware-traffic-analysis.net.

    Rebus Snippet's long-lived rolling Asprox saga.

    Herrcore's analysis of the one generation of the windows bot itself.

    Kimberly's analysis of several versions and some of the work-related modules.

    Brad from malware-traffic-analysis.nethas documented many previous Asprox mail campaigns. [1] [2] [3]

    If this was at least a little helpful, how about a +1, Like, or Tweet?

  • Hearing of your case in Court NR#... - Virus

    Email:

    A fake Notice to Appear at court claims you need to bring all documents and witnesses. Later versions mention pretrial notice and being a defendant for something like illegal software use.

    Attached zip file contains an exe virus or trojan horse.

    Spoofs some law firm domain like jonesday.com, lw.com, mwe.com, hoganlovells.com, skadden.com, gibsondunn.com,  cov.com, bakerbotts.com, orrick.com, bryancave.com, perkinscoie.com, alston.com,  dechert.com, sullcrom.com, or seyfarth.com in headers.

    This is an Asprox botnet email spreading Kuluoz / Dofoil malware.

    Jones Day / Latham & Watkins / Hogan Lovells / McDermott Will & Emery / Skadden, Arps, Slate, Meagher & Flom / Gibson Dunn / Covington & Burling / Baker Botts / andOrrick, Herrington & Sutcliffe / Bryan Cave / Perkins Coie / Alston & Bird / Dechert / Sullivan & Cromwell / Seyfarth Shaw are real law firms, these emails are NOT from them.

    On 11 March 2014, there was a series of copy-cat "notice to appear in court" emails that basically copied this series. Different botnet, different malware. And once again, Asprox was doing it before it was cool.


    Subject: Pretrial notice

     BRYAN CAVE

    A Broader Perspective

    Pretrial notice Hereby we inform that you are obliged to come as a defendant to North Carolina Court of Appeals on
    February 15th, 2015 at 11:00 a.m. for the hearing of your case of illegal software use.

    If necessary you have a right to obtain a lawyer for your protection. You are kindly asked to have an identity
    document with you. Personal appearance is compulsory.

    Please find the plaint note with more detailed case information on our site and study it thoroughly.

    Court clerk,
    Santiago Andrews

    Copyright 2015 (c) All rights reserved

     Picture of fake Bryan Cave lawfirm email with malware links.

    Subject: Notice to Appear in Court

    ReedSmith

    The business of relationships

    Notice to Appear,

    To view copy of the court notice click here. Please, read it thoroughly.

    Note: If you do not attend the hearing the judge may hear the case in your absence.

    Copyright (c) 2015 | All right reserved

    Picture of fake Reed Smith malware email.

    Subject: Urgent court notice

     Skadden

    Skadden, Arps, Slate, Meagher, & Flom LLP, Affiliates

    Notice to Appear,

    Hereby you are notified that you have been scheduled to appear for your hearing that will take
    place in the court of Washington in February 10, 2015 at 10:00am. Please bring all documents and
    witnesses relating to this case with you to Court on your hearing date.

    Please, read the copy of the court notice thoroughly.

    Note: If you do not attend the hearing the judge may hear the case in your absence.

    Clerk of Court
    Jacob House

    Copyright (c)2015

    Picture of fake Skadden Arps lawfirm malware email.

    Subject:Hearing of your case in Court NR#3578

    Subject: Urgent court notice NR#86455

    Subject: Notice to appear in court NR#9530

    Subject: Notice of appearance in court NR#1376

    Subject: #Notice of appearance in court Order 9236

    Subject: #Notice to appear in court Order 6435

    Subject: #Urgent court notice Order 91995

    Notice to Appear,

    Hereby you are notified that you have been scheduled to appear for your hearing that
    will take place in the court of Washington in January 19, 2014 at 10:00 am.

    Please bring all documents and witnesses relating to this case with you to Court on your hearing date.

    The copy of the court notice is attached to this letter.
    Please, read it thoroughly.

    Note: If you do not attend the hearing the judge may hear the case in your absence.

    Yours truly,
    Ruth Mason
    Clerk to the Court.

    Court_Notice_Jones_Day_Wa#5837.zip (118)

    Other clerk names: (These are a LOT like the Beauty Contest Winner CV emails)

    Chloe Smith
    Ruth Tailor
    Ruth Mason Karen Tailor Alena Mason
    Emily Mason
    Dorothy Smith Evie Tailor Alison Tailor Maria Mason Helen Mason
    Bruce Tailor <-- well... except that guy.

    Subject:Notice to appear in court No#6938

    Hereby you are informed that you are due in the court of New York
    on the 12 of January, 2014 at 09:00 am for the hearing of your case.
    You are kindly asked to prepare and bring the documents relating to the case to Court on the specified date.

    Please, download the copy of the court notice attached herewith to read the details.
    Note: The case may be heard by the judge in your absence if you do not come.

    Yours truly,
    Thompson Gonzalez
    Clerk to the Court.

    Court_Notice_Latham_and_Watkins__NY82569.zip (121)

    Subject: Notice of appearance in court CH#6016

    Notice to appear,

    Hereby you are notified that you are expected
    in Chicago Court for the hearing of you case in January 21, 2014.

    Enclosed please find the copy of the court notice for the case mentioned above.
    Attendance compulsory.

    Yours very truly,
    BOONE Goff
    Clerk of court.

    Court_Notice_Chicago_CN03514.zip (122)

    Subject:Urgent court notice No67075

    Notice to Appear in Court,

    This is to advise that you are required to attend
    the court of Los Angeles in January 9, 2014 for the hearing of your case.

    Please, kindly prepare and bring the documents related to this case to Court on the date mentioned above.
    Attendance is compulsory.

    The copy of the court notice is attached to this letter, please, download and read it thoroughly.

    FISCHER MADDOX
    Clerk to the Court.

    Court_Notice_Los_Angeles_No7507.zip (145)

    Subject: #Notice to appear in court NO1441-111

    Notice to appear,

    Hereby you are notified that you are expected
    in St. Louis Court for the hearing of your case in January 8, 2014.

    Enclosed please find the copy of the court notice for the case mentioned above.
    Attendance compulsory.

    Yours very truly,
    FAULKNER HENRY
    Clerk of court.

    03_12_14_Court_Notice_St._Louis_9649.zip (115)

    Subject: #Hearing of your case in Court 60567

    Subject: Illegal software use #order #No908

    Subject: Judicial summons No6186

    Subject: Pretrial notice No3866

    Pretrial notice,

    Hereby we inform that you are obliged to come as a defendant
    to The Court of Louisiana in February 26, 2014 at 09:00 a.m.
    for the hearing of your case of illegal software use.
    If necessary you have a right to obtain a lawyer for your protection.

    You are kindly asked to have an identity document with you.
    Personal appearance is compulsory.

    Please find the plaint note with more detailed case information
    attached to this letter and study it thoroughly.

    Court clerk,
    Isabella Mason

    Plaint Note_06_01_2014_No8100.zip (113)

     

    Notice of appearance,

    You are hereby notified that you are required to attend
    the court of Chicago in January 11, 2014 as a defendant
    for the hearing of a pirated software case.

    Compulsory attendance.
    You may have the services of a lawyer, if necessary.
    Failure to appear may result in the imposition of sanctions.

    More detailed information regarding the case can be found attached to this letter.

    Court agent,
    Susan Mason

    10-01-2014_Notice_of_Appearanc_Information_No56686.zip (112)

    Subject: Notice of court attendance No7305

    Court hearing notice.

    As a defendant you have been scheduled
    to attend the hearing in the Court of New York.
    Hearing date: 28 January 2014
    Hearing time: 9:00 a.m.

    Hearing subject: illegal use of software.
    Prior to the court thoroughly study the plaint note in the attachment to this mail.

    Sincerely,
    Court agent,
    Mary Mason

    Plaint_Note_US_Copy_N2275.zip (147)

    Headers and sources

    URL-style emails

    These almost ALWAYS come from compromised web servers (vice attachment-style emails which come from windows bots). A dropped php script receives HTTP POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers.

    A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Baker & McKenzie" <support@ [ domain of compromised web server]>
    Subject: Hearing of your case in Court

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Bryan Cave" <support@ [ domain of compromised web server]>
    Subject: Judicial summons

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Hogan Lovells" <support@ [ domain of compromised web server]>
    Subject: Notice of appearance in court

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Skadden" <support@ [ domain of compromised web server]>
    Subject: Pretrial notice

    Also :
    Subject: Urgent court notice
    Subject: Illegal software use
    Subject: Notice of appearance

    Attachment-style emails

     These usually come from infected PCs, Spoofs a specific law firm like jonesday.com, lw.com, hoganlovells.com, mwe.com in From, Envelope, and HELO. These iterate through several domains but be consistent in the email. This is an Asprox email, not sloppy like the Cutwails.

    Received: from alston.com (mail.gothamsales.com) [173.15.171.58]
       X-Envelope-From: help.support016 @alston.com
       From: "Pretrial Notice" <help.support016 @alston.com>
       Subject: Court notification No726

    Received: from dechert.com (mail.medvetohio.com) [74.218.67.50] X-Envelope-From: information @dechert.com From: "Illegal software" <information @dechert.com> Subject: Judicial summons ID8906

    Received: from sullcrom.com (173-161-7-6-Illinois.hfc.comcastbusiness.net) [173.161.7.6] X-Envelope-From: notice_support.4 @sullcrom.com From: "Pretrial Notice" <notice_support.4 @sullcrom.com> Subject: Illegal software use #number #N#130

    Received: from seyfarth.com [69.80.69.226] X-Envelope-From: support.5 @seyfarth.com From: "Notice of Appearance" <support.5 @seyfarth.com> Subject: Judicial summons No3354

    An interesting artifact, the NETBIOS name of the infected windows computer is in the Message-ID header:

    Message-ID: <002401cefff99e3a2b782000000a @jacques-pc>
    Message-ID: <002b01cf000e988a97980201a8c0 @CATHY-DESKTOP>
    Message-ID: <000901cefff0a1423b818114a8c0 @SCHEDULING2>
    Message-ID: <002601cefff6d33f57cc4db366ae @Owner-PC>
    Message-ID: <002801cefff9249b166a0400a8c0 @PickeringComp>
    Message-ID: <000e01cf0015b42fb3289101a8c0 @JackBrenner-PC>
    Message-ID: <000d01cf000c8b2775bc1200000a @JOHN-PC>
    Message-ID: <000b01cf002f$3de2c406$0401a8c0 @JaneikaSweet-PC>
    Message-ID: <002501cf002f4cf202eb53e77018 @robertandmel-PC>

    Malware:

    7 January 2015

    Link to download : ReedSmith_Notice_00734995.zip containing ReedSmith_Notice_00734995.exe

    The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.

    Some url examples:

    agava-artpak.com/proxy.php?rs=cfKmrhc0KWFosYRo69yv5v9BhSSvxsNrbVuCaGec/FQ
    airoweb.com/test.php?rs=u6JbL/8tCI7VdQfIdXFQEgJDeNcdD/ntYNMQb/wvlUo
    client.thelode.com.au/db.php?rs=yS8WUfOxSLmhYrJ4cIewjZuT/FRSaKBR+zMT61OQBzU
    download.levelxstudios.com/db.php?rs=Nby8+ET234q+g/GDu0lZl1sOwOX2qsOAm0yBavpDGUc
    secure.badgercomplianceconsulting.com/code.php?rs=tnCRoJbLtKG3gEgTNmD8mZDikvj4DpeDh8MGhSa4si0
    vaultsage.com/code.php?rs=9WKhIfuiGKyMuBr3gvkU6g9s7atFOalPm4gVOWtAo9g
    admin.ttc-toggenburg.ch/search.php?sk=Larw1RxhFglpQiOnaiZ9c2r+RuddWbHB69py+hUWnKU
    aszh.com/global.php?sk=B4q8qSd/OEHV+4fyO0QynvJiz/Il1IYxrXqolaCFMSM
    avout.com/global.php?sk=Kw7WhtDwyhiv0DLwS3w74gJAEvhYGFCVru4StwcVzW8
    madeathens.gr/defines.php?sk=RnipY1ERaCWFB9V+P4hDZzPmveRdTpXF8iyLaW9srb8
    podologuethonon.com/code.php?sk=Nsix1k3KH4EgsB9LLNxOiaaNt0UG6tpF7l3vEbzYwT8

    The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable. The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer.

    VirusTotal report 

    Avast 		Win32:Malware-gen
    ESET-NOD32 Win32/TrojanDownloader.Zortob.H
    McAfee Downloader-FAII!139376F90938
    Norman Kuluoz.KX
    Rising PE:Malware.FakeDOC@CV!1.9C3C

    Malwr.com report 

    These samples sometimes don't run so well in Cuckoo. Here is the same sample run manually.

    Picture of trojan run from law firm complaint malware email.

    This sample runs like a champ. Injects to systray.exe (which is kind-of new, it used to be svchost.exe), aa[user] mutex, and a nice list of C2 check-in locations. An Asprox bot. The c2 proxies in this sample:

    192.241.135.69:443
    31.186.5.20:8080
    194.146.226.230:8080
    109.234.156.83:8080
    67.18.12.2:8080
    185.66.12.185:443

    23 December 2013

    VirusTotal report | Malwr.com report 

    VirusTotal report | Mawlr.com report | File-Analyzer.net report

    24 December 2013

    VirusTotal report | Malwr.com report| File-Analyzer.net report

    30 December 2013

    VirusTotal report | Malwr.com report | File-Analyzer.net report 

    3 January 2014

    VirusTotal report  | Malwr report | File-Analyzer.net report

     

    More about Asprox

    Kimberly at StopMalvertising.com on asprox

    Michal Ambroz at Rebus Snippets on asprox

    Herrcore's post on asprox

    What happens when Asprox has control of your computer?

    Among other things:

      Your computer can be used to spam more people with malware.

      Your computer can be used to commit advertisement fraud.

    If this was at least a little helpful, how about a +1, Like, or Tweet?

  • Order Confirmation - Walgreens - Asprox Malware

    Email:

    Fake Walgreens virus spam email claims they received an order addressed to you which needs your confirmation using the provided link.

    Link goes to compromised sites to download Asprox malware.

    Big thanks to Project Honey Pot for finding this.

    Picture of tweet from Project Honeypot about the fake Walgreens email.

    Another big thanks to "Lynn" who sent me more data for this email, including email headers and intact html giving us a better screenshot of this rare and elusive malware email!


    Subject: Order Confirmation

     [ Walgreens logo ]

    AT THE CORNER OF HAPPY & HEALTHY

    Pharmacy & Health | Poto | Shop Products

    E-shop Walgreens has received an order addressed to you which has to be confirmed by the recipient within 4 days. Upon confirmation you may pick it in any nearest store of Walgreens.

    Detailed order information is provided here.

    Walgreens

    Notice of Privacy Practices :: Terms of Use :: Online Privacy & Security


    © Copyright 2014 Walgreen Co. All rights reserved.

    Thanks Lynn!

    Picture of fake walgreens email with malware link.

    An earlier submitted picture of the email with slightly mangled html:

    Picture of fake Walgreens email with malware download link.


    Headers:

    Asprox URL-style emails almost ALWAYS come from compromised web servers (vice attachment-style emails which come from windows bots). A dropped php script receives HTTP POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers.

    A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.

    Received: from [185.25.185.3]
    Envelope : <toyotaparts @burdickcars.com>
    From: Walgreens <toyotaparts @burdickcars.com>
    Subject: Order Confirmation

    Received: from unknown (HELO p3plibsmtp01-05.prod.phx3.secureserver.net) ([10.6.12.127])
    From: Walgreens <tquanbeck @real-time.com>
    Reply-To: Walgreens <tquanbeck @real-time.com>
    Subject: Order Status

    Malware:

    The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.

    Some url examples:

    sttc.nu/dirs.php?w=8jhbz5yel1VzRf2adBGrxAbivqTF/GTY2qAG8dW+Cao=

    The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable. The zip and executable file may be named based on the geo-ip city your request came from, for example: Walgreens_OrderID-156111-West_Jordan.zip containing Walgreens_OrderID-156111-West_Jordan.exe

    The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer. Here is one example:

    VirusTotal report 

    ESET-NOD32 		a variant of Win32/Kryptik.CMZR
    F-Prot W32/FakeAlert.FY.gen!Eldorado
    Kaspersky HEUR:Trojan.Win32.Generic
    Malwarebytes Trojan.Downloader
    McAfee Downloader-FAII!20E35117C332
    Norman ZBot.CKEK
    Symantec Packed.Generic.463

    Malwr.com report 

    Starts servers listening on 0.0.0.0:0
    Performs some HTTP requests
    Steals private information from local Internet browsers
    Installs itself for autorun at Windows startup

    HTTP POSTs to: 82.165.155.77:8080

    TotalHash report 

    HTTP POSTs to:
    110.77.220.66:443
    96.30.22.96:8080
    95.131.70.168:8080
    74.221.221.58:8080
    195.28.181.184:8080
    85.12.29.254:8080
    69.64.32.247:443
    82.165.155.77:8080

    Those IP addresses will change as some are taken down and new ones come online. They are almost always compromised web servers.

    Some of these Kuluoz trojans are getting better at avoiding some of the publicly-available sandboxes like Malwr.com. This comes and goes, a constant arms race, I'm sure. The sample I downloaded from the url found by Project Honey Pot (sttc.nu), didn't run so well in those sandboxes. But rest assured, this kuluoz runs fine.

    Picture of asprox kuluoz sample running like a champ.

    Injects to svchost.exe, aa[user] mutex, and a nice list of C2 check-in locations. An Asprox bot.

    If this was at least a little helpful, how about a +1, Like, or Tweet?

  • Parking Violation Notice - Asprox Malware

    Email:

    Fake parking violation notice virus spam email claims that your parking citations have not been paid and the fines are due in a specified number of days.

    Link goes to compromised sites to download Asprox malware.


    Subject: Parking Violation Notice

     Parking violation notice

    City of New York records indicate that a parking citation(s) issued to the vehicle described below has not
    been paid. This fines and applicable penalties area past due and must be paid within the next ten calendar
    days. DMV records show that you are/were the registered owner at the time this vehicle was cited. Therefore,
    you are legally responsible for responding to this notice.
    Ticket Number Violation Fine Payment Received AMOUNT DUE
    7099135 PROHIBITED PARKING $40 $0.00 $40
    For more information, please visit here and get your parking ticket.

    Subject: Parking Violation Notice

     Parking violation notice

    City of Phoenix records indicate that a parking citation(s) issued to the vehicle described below has not been
    paid. This fines and applicable penalties area past due and must be paid within the next ten calendar days. DMV
    records show that you are/were the registered owner at the time this vehicle was cited. Therefore, you are
    legally responsible for responding to this notice.
    Ticket Number Violation Fine Payment Received AMOUNT DUE
    5135977 HANDICAPPED SPACE VIOLATION $40 $0.00 $40
    For more information, please visit here and get your parking ticket.

    Picture of fake New York parking violation email with asprox malware link.

    Subject: Parking Violation Notice

     Parking violation notice

    City of Houston records indicate that a parking citation(s) issued to the vehicle described below has not been
    paid. This fines and applicable penalties area past due and must be paid within the next ten calendar days. DMV
    records show that you are/were the registered owner at the time this vehicle was cited. Therefore, you are
    legally responsible for responding to this notice.
    Ticket Number Violation Fine Payment Received AMOUNT DUE
    8074741 PARKING IN "NO STOPPING-STANDING" ZONE $40 $0.00 $40
    For more information, please visit here and get your parking ticket.

    Various cities so far:

     City of Chicago 
    City of Dallas
    City of Houston
    City of Los Angeles
    City of New York
    City of Philadelphia
    City of Phoenix
    City of San Antonio
    City of San Diego
    City of San Jose

    Various violations so far:

     FIRE LANE VIOLATION 
    HANDICAPPED SPACE VIOLATION
    METER VIOLATION
    OFF-STREET HEAD-IN METER VIOLATION <-- huh?
    PARKING IN "NO STOPPING-STANDING" ZONE
    PARKING TRACTOR-TRAILER COMBO
    PROHIBITED PARKING

    Headers:

    Asprox URL-style emails almost ALWAYS come from compromised web servers (vice attachment-style emails which come from windows bots). A dropped php script receives HTTP POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers.

    A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Parking Violations Bureau" <support@ [ domain of compromised web server]>
    Subject: Parking Violation Notice

    Received: from vm5.digitalserver.org [184.107.173.90]
    X-Envelope-From: rh @arspc.com.mx
    From: Parking Violations Bureau <rh @arspc.com.mx>
    Subject: Parking Violation Notice

    Received: from srv36.turhost.com [94.199.206.36]
    X-Envelope-From: afhmanager34 @srv36.turhost.com
    Subject: Parking Violation Notice
    From: "Parking Violations Bureau" <support @ajansfotografhane.com>

    Malware:

    The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.

    Some url examples:

    southshorephilharmonic.org/defines.php?violation=3KKDJmadjO+LjKt+e2iWovYdeLI6UlDFEan/TPGF1Ps=
    udominikana.com/help.php?violation=x1WRL7ALMWverkSmAegGh01U1pPpNs5D32LnUd6hHb0=
    polymetrix.com/help.php?violation=ARYdACKqnTtU64h8/kOUzPOMQ50+r1gFz3ZIurURQvI=
    pro-populus.eu/files/defines.php?violation=D53WWlN6Y/vcmEwda9Jiga0VtG9a51oqPE375l4bC2M=
    maasrun.be/webtv/defines.php?violation=CtrmF12ZRLutxYUzQ7B1Azq1L8rUIFbW+fdROf+aPGA=
    oneforeverfreedom.com/test.php?violation=Xf4Hk4eWgbd+kXgXDJeivaqR2tUZEZPQsoFzJFS5UAY=
    iedereenatleet.be/files/help.php?violation=k+ZAMmcV8EDor1dFNnXS9YzI8KGCLRVk54LazIupS9E=
    kdvfamilia.be/files/defines.php?violation=MQFF5TiZMDVg7MFFsWKM+AhqQb0wFLk6UNF0FN0xYXk=

    The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable. In my case, I got Parking_Ticket.zip containing Parking_Ticket.exe.

    The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer. Here is one example:

    VirusTotal report 

    Malwarebytes 	Trojan.Email.FakeDoc
    Norman Kuluoz.KR
    Qihoo-360 Malware.QVM10.Gen
    Rising PE:Malware.FakeDOC@CV!1.9C3C

    Malwr.com report 

    These samples sometimes don't run so well in Cuckoo. Here is the same sample run manually.

    Picture of trojan run from parking violation malware email.

    This sample runs like a champ. Injects to svchost.exe, aa[user] mutex, and a nice list of C2 check-in locations. An Asprox bot. The c2 proxies in this sample:

    109.123.107.32:8080
    195.154.71.156:8080
    199.233.237.154:8080
    217.106.239.250:443
    74.208.65.138:8080
    81.177.22.146:443
    85.159.145.159:8080

    Those IP addresses will change as some are taken down and new ones come online. They are almost always compromised web servers.

    If this was at least a little helpful, how about a +1, Like, or Tweet?


     City of New York records indicate that a parking citation(s) issued to the vehicle described below has not been paid. This fines and applicable penalties area past due and must be paid within the next ten calendar days. DMV records show that you are/were the registered owner at the time this vehicle was cited. Therefore, you are legally responsible for responding to this notice. 

     

  • Ship Notification - Tracking Number, ID ... - Fake Fedex - Asprox Malware

    Email:

    Fake Fedex virus spam email claims your parcel arived but was unable to be delivered and you can print a label using the provided link and take it to the nearest office.

    Link goes to malware download sites.

    This is an old-school Asprox malware spam template that comes up again and again. This was one of my first email articles, before I even knew what Asprox was.

    This template was once replaced by DHL Pack Station series, but so far this template has outlived it. But man, the Pack Station was a rockstar in its day.


    Subject: Ship Notification

    Subject: Shipment status ID#00952038

     Dear Customer, 

    Your parcel has arrived at October 30. Courier was unable to deliver the parcel to you.
    To receive your parcel, print this label and go to the nearest office.

    Get Shipment Label

    FedEx 1995-2014

    Picture of fake fedex email with asprox malware link.

    Subject: Tracking Detail (Q)WGY30 463 686 2608 1646

    Subject:  ID (F)VVS77 587 511 4690 7273

    Subject:  Tracking Number (K)XC46 759 576 3876 3171

    Subject: Tracking Number (I)SX03 415 858 0955 7615

    Subject: Tracking ID (P)GHJ50 271 271 5590 5590

    Subject: Order Tracking

    Subject: Tracking Information

    Subject: Shipping Detail

    Subject: Shipping Information

    Subject: Order Shipped

     FedEx     
       
     Order: AX-7608-99659670234    
     Order Date: Sunday, 25 November 2012, 10:35 AM

     Dear Customer, +++
     Your parcel has arrived at the post office at November 27.Our postrider was unable to deliver the parcel to you.

     To receive a parcel, please, go to the nearest our office and show this postal receipt.

         GET POSTAL RECEIPT

     Best Regards, The FedEx Team.

    Fake FedEx email with asprox malware link from 2013.

    Fake FedEx email with asprox malware link from 2012.

    Told you this has been going on for a while.


    Headers:

    Asprox URL-style emails almost ALWAYS come from compromised web servers (vice attachment-style emails wich come from windows bots). A dropped php script receives http POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers. Later versions just use the compromised server's RDNS or hostname instead of spoofed headers.

    A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.

    Received: from raptor.myvacation.mobi [74.207.245.195]
    X-Envelope-From: apache @raptor.myvacation.mobi
    Subject: Ship Notification
    From: "FedEx International Priority" <support @myvacation.mobi>

    Received: from hosting6.tenet.ua [195.138.69.237]
    X-Envelope-From: flamingo @hosting6.tenet.ua
    Subject: Shipment status ID#00150402
    From: "FedEx Ship Manager" <support @flamingo.od.ua>

    Received: from www85.cpt1.host-h.net [197.221.2.62]
    X-Envelope-From: quasifvdag @www85.cpt1.host-h.net
    Subject: Ship Notification
    From: "FedEx International Economy DirectDistributionSM" <support @kvrtraining.com>

    Received: from raptor.myvacation.mobi [74.207.245.195]
    X-Envelope-From: apache @raptor.myvacation.mobi
    Subject: Ship Notification
    From: "FedEx International Priority" <support @myvacation.mobi>

    Some 2012-2013-era spoofed / used domains in Envelope (MAIL FROM:) headers:

    Received: from nothlasvages.com
    Received: from milwaukee.com
    Received: from toledo.com
    Received: from bakersfield.com
    Received: from raleight.us
    Received: from lubbock.us
    Received: from reno.us
    Received: from bakersfield.us
    Received: from nothlasvages.us
    Received: from raleight.us
    Received: from stockton.us
    Received: from e-postalservice.us
    Received: from pcpostal.com
    Received: from uspostalcenter.com
    Received: from myepostal.us

    Malware:

    The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.

    Some urls examples:

    engagingthepage.com/code.php?fdx=kosDn9NPq0V7bvizrCXAB80ab/wyml1Zb5gkayrtRlc
    charter-pool.eu/press.php?fdx=QzL/wfOrs/a5LVDxrgno4ULsITt8JwHyGHsBIUCLikc
    inv.mahasarakham.police.go.th/tmp/diff.php?fdx=krl/30gwVx73HH19rEIhms0ab/wyml1Zb5gkayrtRlc

    The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable.

    The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer. Here is one example:

    VirusTotal report 

    ESET-NOD32 		a variant of Win32/Kryptik.CMZR
    F-Prot W32/FakeAlert.FY.gen!Eldorado
    Kaspersky HEUR:Trojan.Win32.Generic
    Malwarebytes Trojan.Downloader
    McAfee Downloader-FAII!20E35117C332
    Norman ZBot.CKEK
    Symantec Packed.Generic.463

    Malwr.com report 

    Starts servers listening on 0.0.0.0:0
    Performs some HTTP requests
    Steals private information from local Internet browsers
    Installs itself for autorun at Windows startup

    HTTP POSTs to: 82.165.155.77:8080

    TotalHash report 

    HTTP POSTs to:
    110.77.220.66:443
    96.30.22.96:8080
    95.131.70.168:8080
    74.221.221.58:8080
    195.28.181.184:8080
    85.12.29.254:8080
    69.64.32.247:443
    82.165.155.77:8080

    Those IP addresses will change as some are taken down and new ones come online. They are almost always compromised web servers.

    If this was at least a little helpful, how about a +1 or a Like?

  • Your application received - Asprox Malware

    Email:

    Virus spam email claiming to be from various law firms states that they received your complaint and it will be reviewed in court or initiate a trial.

    Links go to download the Asprox malware trojan, called Kuluoz.


    Subject: Your application received

     Baker & McKenzie 

    Pretrial notice

    Hereby we confirm that your complaint has been received together with enclosures dated December 29, 2014.
    The complaint will be reviewed in court in the nearest possible time based on the documents and information
    you have previously provided.

    You do not have to be present at trial in person if the Court does not suggest otherwise.
    Please use this link to check your complaint once again and confirm it.
    If we do not get your confirmation the claim will be cancelled.
    You will be further notified without delay of any judgement delivered in regard to your complaint.

    Sincerely,
    Court secretary
    Michael Moody

    &copy Baker & McKenzie 2015

    Picture of fake Baker McKenzie malware email.

    Subject: Your application received

     Hogan Lovells 

    Confirmation letter

    Since we confirm that your complaint and attached documents dated 01/05/15 have been received, you will now need
    to follow this link and confirm it in order we could initiate the judicial proceedings.

    If we do not have your confirmation we will have to cancel the claim. Please do this without delay.

    You do not have to be in court on the date of the hearing but you will be notified of the results in an urgent letter.

    Sincerely,
    Clerk of the court

    2015 Hogan Lovells | All Rights Reserved.

    Picture of fake Hogan Lovels malware email.

    Subject:  Your application received

     Letter of acknowledgement 

    Hereby you are advised that we have received your complaint with enclosures dated 01/29/14.
    Shortly after we receive your complaint confirmation we will initiate a trial. You are not actually
    required to attend the court proceeding, the results will be sent to you in a letter without delay.

    Please confirm your complaint here otherwise the claim is cancelled.

    Faithfully,
    Court secretary

     Picture of the application received malware email from around february 2014.

    Subject: Regarding your complaint

     SIDLEY
    Sidney austin LLP
    Sidley is a global law firm...

    Confirmation letter

    I am writing to notify you that your complaint form was received and docketed for the soonest consideration.
    To avoid cancellation of your complaint, you need to download complaint, check your application and confirm it
    if you still agree with your statements.

    If they are considered substantial and well-grounded we will bring them to trial.
    Your presence in court will not be required - you will be informed about the outcome of judicial proceedings in a letter.

    Sincerely,
    Court Executive for Legal Affairs

    Copyright

    Picture of fake Sidney Austing law firm email with malware link.


    Headers:

    Asprox URL-style emails almost ALWAYS come from compromised web servers (vice attachment-style emails which come from windows bots). A dropped php script receives HTTP POSTs containing the template, a list of recipients, links, fake mail transport agent strings, and sometimes spoofed headers.

    A single compromised web server will often be sent data every 3 minutes, with about 30 emails per POST. This can generate around 10,000 emails per day, generally pointing to about 100 compromised landing sites.

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Baker & McKenzie" <support@ [ domain of compromised web server]>
    Subject: Your application received

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Bryan Cave" <support@ [ domain of compromised web server]>
    Subject: Regarding your complaint

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Hogan Lovells" <support@ [ domain of compromised web server]>
    Subject: Your claim received

    Received: from [ HELO of compromised web server ] [ ip address of compromised web server ]
    Envelope-From : www-data@ [ domain compromised web server]
    From: "Skadden" <support@ [ domain of compromised web server]>
    Subject: Your complaint received

    Malware:

    The landing sites are just compromised websites. They come and go, and Asprox can go through thousands in a month. Asprox loves proxies, and these landing sites are just small, malware downloading proxies. The request will be proxied to another server and either malware will be sent back or the response will be a fake error message.

    Some url examples:

    airoweb.com/test.php?hl88Oo++CRHWQqlBh7JaxwsvXlJpCc9dxwGBAtZigWS1g
    akbidpasbar.ac.id/dirs.php?hl8e2oLUwj/Rw/IAJIh6tHv0ll/mDqFUsIVLGDDAHVOzw
    askcedric.com/global.php?hlsHcllecWt3/BusRlPX+V0PCokqfO0g4ax1fuD628Sw4
    azur-it.com/global.php?hlAf98Xd9vz3+2AipFCX2AY0EHzW9vzHHAJqIaAI5vMV8
    emailr.eu/xml.php?hlfuvbA1T6tifj4e4SRY8awzu3FtD3KORbuKvj5JbzQd0
    madeathens.gr/defines.php?hl/3zQK6o3ddHoJWAmdujoJg9BLZjfWw3d5uKQNJaYfDI
    bancodesolucoes.com/global.php?hlDe22c6rOqxB5OUWcApF7izlbhdEsPF8HhQvJH0Tbuoo
    client.thelode.com.au/db.php?hlyEpk6y8zyTERig42R2ZWHAAj0qLrFGQgHHusNsnquGc
    acenteweb.com/utf.php?bkkWXG0XmnRcy6ghzbxZUF0zN0wsB+wlPr79T3WSjxWKg
    advancedlubes.com/dirs.php?bkwhcJUxy+jgWtBfpNeXDQgg0ZEV9CbGwwPodpCWwaVjM
    birdexplorers.com/proxy.php?bkVWSsdzJAdKwJ3jW+d3lAYPY6QdTHwTbvSnbo8BtzLxk
    duirforester.com/page.php?bkFGHuvkXq0C/41NUHd6zMS0P1JqvxdgPB58PKB6TpZwE
    softwareforyourmind.org/system.php?bkhMyRsg3BjeicRHhJAqA7sZId016MyccYQzJh942/8YM
    unixhelpdesk.de/page.php?bkR7/LNl3q2KevbxiOgXhapbJY9vcotTeEjBbimO/lj7g
    bullngoose.com/ini.php?sid=yAGQFhNEt9l6j3WitdzAyzNpKdv13G5S2oqmQxKlv6E
    festivalfilmlibanais.com/list.php?sid=CSzcUKIUBi92E8Q392FtV0ajqAkCaz9l+053kpYA8Rs
    hotelminmyanmar.com/xml.php?sid=GgXsY8DbIv8Zmi3+WQhcfuxDv0+yeoKi17UQOMQBG4k
    hydronit.eu/template.php?sid=yrsetbjwf+4dWGiYj/CffAgF9lQx5w/sMfgQCTjcw7A
    kisiselgelisimmerkezi.net/press.php?sid=GY7N+mgVCHb3GxX8XNB46vuAg6pv1W003dpTe0/dgg0
    music.inreality.az/css.php?sid=kfoRwS1I/7et5CO6NHR6q0ibgMIE6Fe9ULsM+ivt3aA

    The proxied request will be checked for user-agent string (Windows only, usually IE only), and ip address (an IP that tries too many times will be blocked). If your stars align, you will be handed back a zip containing an executable. In my case, I received HoganLovells_Complaint_00734995.zip containing HoganLovells_Complaint_00734995.exe

    The Asprox executable is generally referred to as Kuluoz. It doesn't matter what URL you get it from, they all come from the same place (via proxy) and do the same thing: take over your computer. Here is one example:

    VirusTotal report 

    Avast 		Win32:Malware-gen
    ESET-NOD32 Win32/TrojanDownloader.Zortob.H
    McAfee Downloader-FAII!139376F90938
    Norman Kuluoz.KX
    Rising PE:Malware.FakeDOC@CV!1.9C3C

    Malwr.com report 

    These samples sometimes don't run so well in Cuckoo. Here is the same sample run manually.

    Picture of trojan run from law firm complaint malware email.

    This sample runs like a champ. Injects to systray.exe (which is kind-of new, it used to be svchost.exe), aa[user] mutex, and a nice list of C2 check-in locations. An Asprox bot. The c2 proxies in this sample:

    192.241.135.69:443
    31.186.5.20:8080
    194.146.226.230:8080
    109.234.156.83:8080
    67.18.12.2:8080
    185.66.12.185:443

    Those IP addresses will change as some are taken down and new ones come online. They are almost always compromised web servers.

    If this was at least a little helpful, how about a +1, Like, or Tweet?


      Since we confirm that your complaint and attached documents dated 01/05/15 have been received, you will now need  to follow this link and confirm it in order we could initiate the judicial proceedings.