Home

Asprox

Asprox alive - again overlaps with Waledac

October 11, 2009 - 14:00 — Rune

Asprox has awaken again.
I have not tried to follow it this time.

But a quick look gave me this one (from bfk.de):

Overlap between Asprox and Waledac in October 2009

The domain thingre.com lived happily side by side with other domains "attributed" to the newly wakened Asprox botnet.
(bannerdriven.ru, adsyndication.ru, adtcp.ru, adbnr.ru, siteanalitycs.ru, htmlads.ru, ads-t.ru, bannert.ru).

But if you do a quick search for thingre. com, this domain has been tied to Waledac.

Asprox domains - new and old ones April 29 2009

April 29, 2009 - 18:21 — Rune

Some of them, others do of course exist too.

I stumbled across two new ones registered today, 15infinput.com and binnet11.net.
One of the IPs that shows up in connection with those is 69.66.237.74.

Here is an example using bfk.de from 69.66.237.74 (all of those are not active):

Asprox - Phish domains in April 2009

April 15, 2009 - 22:45 — Rune

First a screenshot from the phish site at
h||p://ww4.visa.com.82siddefault.com/creditcards/security/confirm
(Click on it for a bigger one)

Phish page on the Asprox botnet April 2009

And here is a screenshot of the location bar from the screenshot above:

Location bar of phish page on the Asprox botnet April 2009

Others about Downadup / Conficker / Waledac connections

April 9, 2009 - 10:23 — Rune

Trend Micro mentioning a possible connection between Conficker and Waledac:

DOWNAD/Conficker Watch: New Variant in The Mix?

Quote:

Another interesting thing we also noticed was that the Downad/Conficker box was trying to access a known Waledac domain (goodnewsdigital(dot)com) and download yet another encrypted file.

Another one from the same article:

Asprox - additional domains registered January 26 2009

January 27, 2009 - 20:13 — Rune

Just a quick one now, a list of some more domains on the Asprox botnet registered yesterday.
The "proactive" registrar is Directi. Not directly unusual.

32rundllfunc.biz, 50label-map.com, 59comm-cookie.biz, 76text-crypt.net, 7batchshare.biz, admin-batch97.biz, apidefault57.com, cfm-sid7.net, cmdidini32.biz, code-func42.biz, comm-cipher67.name, corebank98.biz, map-ref95.com, pool-org23.name, rdir-site81.name, tidport85.biz, win-pool21.biz,

Phish setup:
ww9.business.hsbc.com.win-pool21.biz

Asprox domain Jan 26 and some more Downadup/Conficker

January 26, 2009 - 19:13 — Rune

The Asprox domain:
debug-script40.biz. (Found on URIBL.COM).
Not serving the usual javascript files at the moment.
(There are probably more of them)

Some expected Downadup/Conficker domains, shows up on the Asprox botnet:
fmhxqutvccr.org, fmkopswuzhj.biz, fuougcdv.org, fvwugekf.info, fwkbt.info, gbxpxugx.org, ghtileh.biz, gnyluuxneo.com.
And highly possible several others.

An image illustrates one common IP:

Syndicate content