NewsSecurity Vulnerabilities

Asprox Botnet

Duncan 3215 Views 0 Comments 1 min read

First observed in 2008, Asprox is a Windows-based botnet used to perform SQL injection and phishing campaigns.

Asprox is distributed through compromised websites. Previously infected devices are used to scan for sites using Active Server Pages (or .ASPnet) before attempting to gain command execution on the site server using SQL injection. If successful it will inject JavaScript or HTML iFrames on the targeted site to enable drive-by-downloads of Asprox.

Once installed, Asprox will spawn a process to connect to its command and control infrastructure and edit registry entries to maintain persistence. It also contains a secondary backdoor known as Kuluoz (AKA Cidox or Rerdom), which is used to download and install further malware.

Palo Alto Networks released a report stating that in October 2014, Kuluoz, the latest version of the Asprox malware, accounted for approximately 80 percent of all malware sessions recorded by their WildFire threat intelligence service.

Affected Platforms

Microsoft Windows – All versions

Host’s And IP’s To Block

  • 212.61.180[.]100
  • brokenpiano[.]ru/b/opt/b168fc221e5c61d9aef80425
  • hxxp://lowbalance[.]su/
  • hxxp://oldfirefox[.]su/
  • hxxp://irishjuice[.]su/
  • hxxp://everydaypp[.]ru/
  • hxxp://nitmurmansk[.]su/
  • hxxp://brokenpiano[.]ru/
  • hxxp://198[.]154[.]224[.]48:8080/
  • hxxp://65[.]254[.]49[.]118:8080/
  • hxxp://212[.]81[.]134[.]56:1080/
  • hxxp://212[.]81[.]134[.]57:1080/
  • hxxp://174[.]127[.]103[.]45:443/
  • hxxp://198[.]58[.]102[.]172:8080/
  • hxxp://74[.]117[.]158[.]3:443/
  • hxxp://70[.]32[.]94[.]46:8080/
  • hxxp://178[.]207[.]18[.]188:443/
  • hxxp://173[.]255[.]241[.]19:8080/
  • hxxp://194[.]38[.]104[.]218:443/
  • hxxp://162[.]248[.]167[.]184:443/
  • hxxp://65[.]254[.]49[.]116:8080/
  • hxxp://178[.]18[.]18[.]30:443/
  • hxxp://122[.]155[.]167[.]122:8080/
  • hxxp://61[.]90[.]197[.]150:8080/
  • hxxp://27[.]254[.]40[.]105:8080/
  • hxxp://69[.]164[.]221[.]7:443/
  • hxxp://209[.]160[.]65[.]96:8080/
  • hxxp://166[.]78[.]145[.]146:443/
  • hxxp://46[.]28[.]68[.]144:8080/
  • hxxp://162[.]144[.]37[.]28:8080/
  • hxxp://198[.]154[.]216[.]149:8080/
  • hxxp://178[.]21[.]117[.]34:8080/
  • hxxp://162[.]213[.]250[.]124:8080/
  • hxxp://203[.]151[.]23[.]69:8080/
  • hxxp://70[.]32[.]85[.]69:8080/





Duncan

Duncan is a technology professional with over 20 years experience of working in various IT roles. He has a interest in cyber security, and has a wide range of other skills in radio, electronics and telecommunications.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.