Asprox Botnet Distributing Oficla-bearing Spam Mails

Security investigators from M86 Security warn that a spam campaign pretending to notify failed shipment of recipients' parcels is flowing out of the Asprox botnet as the messages spread Trojan Oficla.

Apparently, a group of Trojans of the downloader kind, Oficla, also referred to as Sasfis is chiefly utilized to distribute other malicious programs. Meanwhile, Asprox, a Trojan, behaves like any botnet client, while it first emerged in 2008. The malware disseminates via contaminating authentic ASP websites through SQL injection using malevolent iFrames.

Importantly, Asprox's latest spam campaigns that pose as communications from FedEx, USPS, UPS or DHL have been circulating from the time it re-appeared during the mid-2010. The e-mails carry ZIP attachments having .exe files that nearly exclusively produce Sasfis.

And when this ZIP file is extracted, the icon that's displayed is Microsoft Excel. But the file delivers Sasfis whose payload differs based on the job the Asprox botnet's command-and-control server designates. Lately, the malware has been observed to download bogus anti-virus installers. And right now, it's taking instructions from the showtimeru.ru domain.

Moreover, reports state that during July-September 2010, Oficla was an extremely proliferating e-mail-borne malware, with an especially vigorous presence during September when many forceful scams were spotted.

These kinds of Pay-Per-Install ventures attract scareware makers as routine customers since their scams yield sufficient earnings for supplying the required capital.

Remark the researchers that with the shutdown efforts of the Bredolab and Pushdo botnets lately, there has been a considerable decline in the total amount of spam. However, the Asprox is yet another prominent botnet which is still spamming malevolent executables. According to the investigators, the Asprox spam is actively using the United States Postal Service (USPS) or United Parcel Services (UPS) theme in its messages. Nevertheless, for Asprox's newer spam, the botnet is using the domain name inglo-kotor.ru. Evidently, both the earlier as also the recently used domains are hosted on an identical server in Sweden.

Hence, it's recommended that users be careful with e-mail attachments no matter whether their source is a trustworthy entity. In fact, before opening such attachments users can scan them with VirusTotal.

Related article: Asprox Virus Attacks Several Websites in UK

» SPAMfighter News - 11/27/2010