Spambot exploits iPhone 4 launch to infect thousands of sites

Did you recently receive an e-mail offering you a $50 voucher for iTunes?

Don’t touch it because very likely it’s part of spambot scheme exploiting a Windows glitch and the iPhone 4 launch, according to gateway security firm M86 Security.

The Asprox spambot has undergone several mutations since its first appearance in 2007, when it conducted SQL injection attacks.

Over the past 48 hours or so, it has infected no less that 13,000 legitimate Web sites, according to one security expert.

“At the moment Asprox is limited to serving up spam and building a bigger spambot network,” noted Ed Rowley, product manager for M86 Security based in Orange, Calif.

“But controllers can easily get it to create more havoc, such as going on a password harvesting spree.”   

This wasn’t the first time we had seen Pushdo using this specific “Gift Certificate” theme. A campaign was first observed in mid May where the Bredolab downloader Trojan was embedded in an RTF (Rich text format) file attachment. Bredolab, also known as Sasfis or Oficla by various antivirus vendors, is known to be responsible for installing the Pushdo/Cutwail spambot, as well as Zbot and fake antivirus on to the infected host.

The M86 Security Lab detected Asprox last week. It appears the bot’s controllers are using social engineering techniques that take advantage of the recent iPhone 4 launch, said Rowley.

For example some consumers receive an enticing e-mail offering them a free $50 iTunes voucher.

When a user clicks on the message, a script as well as a several Google search terms are injected into their machine, which secretly commands the computer to infect a list of vulnerable ASP (active server pages) sites.

The image above shows the downloader contacting its command and control server. The red text shows the downloader “phone home” to its command and control via the domain name funnylive2010.ru.

The bot launches the SQL injection by sending URL encoded SQL queries to the target sites. When M86 decoded the query the security firm discovered a malicious javascrript file:

The image above shows the downloader contacting its command and control server. The red text shows the downloader “phone home” to its command and control via the domain name funnylive2010.ru. The URL link points to an Asprox executable.

Machines most likely to fall prey are those running Windows 2003 Server and XP, as well as sites that do not regularly update security features, according to Rowley.

There’s a flaw in Windows 2003 Server and XP’s Help and Support features that enables hackers to add additional data or – in this case – send malicious script queries to the Help and Support link.

The operating systems are unable to detect the malicious script, Rawley said.

The larger vulnerability lies with poorly designed Web sites, he said. “Improperly protected SQL databases, sitting behind these sites, are prone to injection attacks.”

According to the M86 exec, a key Asprox feature is its ability to bypass detection by most anti-malware systems because it emulates the signature of anti-virus software.

“Signature-based systems are not effective against it, however, M86’s behaviour-based detection can track it down,” Rowley said.

Highly-evolved malware

At least one Toronto-based security expert, who has been rooting out Asprox variants for half a decade, sees the Trojan as “highly evolved malware.”

“Asprox can be called a complete malware toolkit,” said Claudiu Popa, founder and president of Informatic Corp., a Toronto-based security consultancy.

Asprox injects itself, protects itself against detection, propagates itself and can morph into whatever form the controller wishes,” said Popa, who also blogs for a ITBusiness.ca.

The analyst has been running into Asprox variants as far back as 2005.

“It’s a very well designed piece of malware, but became exceptionally dangerous in 2008, when it gained the ability to do SQL injections.”

Popa warned that Asprox could be easily be passed on by users to legitimate Web sites, where it can burrow itself deep inside the site’s database undetected.

“Once inside it can spread even further by infecting the site’s other visitors.”

How to protect yourself

A well-protected Web site and malware detection software, along with security practices are the best deterrent, the analyst said.

However, he also provided at least three highly effective and free defensive strategies:

Block all online ads – Users can set their browsers or firewalls to block all online ads. This is not the most popular solution, but it helps you can slash a huge percentage of spam and malware that bombard the company network or your private network.

Tweak the rules on your e-mail application – Gmail, Outlook and other e-mail apps have very effective filtering features that allow you to block suspicious e-mails.

Adjust the “receive features on your e-mail app – Simply change your e-mail settings to make it reveal the “To” portion of the message before even before the mail is opened, said Popa. “Very often a dead giveaway of spam or malware is the e-mail is not directly addressed to you.”

Share on LinkedIn Share with Google+