Series: Looking through the keyhole – Asprox

March 25, 2009

hydra-150x150Asprox has been around for a good long time and focuses on massive SQL injection attacks and templated Phishing campaigns.  This stuff  is really cyberweaponry on a massive scale.  It also is used by money Mules campaigns.  These are used to launder ill gotten gains and extract money from accounts where assets are transfered to.


Here is a great link from Shadowserver Foundation on tracking the resurgance of the botnet after the Mcolo fiasco.

Fiasco because it didnt do a lick of good.

I will post code soon on what I have from ASprox.  There are many sites that track this.

Asprox has also moved to Fast Flux and has even innovated that into something called Hydraflux which utilizes another layer of defense to isolate its Motherships…  Uh like WOW

HydraFlux : The many headed fluxnet

“Flux” is no longer the sexy beast that it might once recently have been and the M.O is unfortunately becoming a common fixture in the criminal landscape of the internet. However, one fluxnet operation recently stood up and stood out. The emergence may simply be an evolution in one flux herder codebase, or represent a new fluxnet operation altogether. I imagine many will call it ‘rock’ (which it is not) based on URL construction alone. The uniqueness of this particular fluxnet does not become apparent until you see what is happening on the other side of the redirection going further upstream. “HydraFlux” is bestowed as a result of operational behavior based naming.

For those who have examined flux net activity you might acknowledge a few commonalities on the backend that are shared among several flux operations where the flux node to mothership relationships are one to one. ( many clients -> fluxnode:80 -> mothership:80 ) <= (this is old school, sooooo 2006/07).

Enter HydraFlux

A small flux net (at this time) where each fluxnode endpoint maintains a one to many mothership relationship *in addition* to the use of non-standard ports for upstream mothership communications. Where “many clients” -> fluxnode:80 -> Multiple_Motherships:4449 . The fluxers are breaking the rules, and btw there *are* no rules. This may be just a bad experiment since HTTP on non-standard ports can stick out like a sore thumb. Oh yes, nginx servers are upstream, and no way to validate that those hosts are not sending traffic futher upstream, though I do believe this is a case of additional layers motherships further upstream beyond what is visible from the the Fluxnode perspective.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: