« Move Over Copycats | Main | Fast Flux Botnet Delivers New Wave of SQL Injection »
Friday
Jun272008

Looping Through the Asprox Botnet

A few new Asprox botnet SQL injection attack domains to report:

cid26.com
dl251.com
getbwd.com
st212.com

These were registered on the 25th and began actively dishing up malware via SQL injection attacks on the 26th. Looking at st212.com, we can see multiple IP addresses are registered to that domain. At the time we checked, we found:

24.91.79.227 (Comcast)
24.107.187.10(Charter)
24.158.34.142 (Charter)
69.180.196.152(Comcast)
69.203.66.175 (RoadRunner)
70.73.3.199 (Shaw)
71.80.115.239 (Charter Communications)
71.206.137.157 (Comcast)
76.29.136.131 (RoadRunner)
76.114.80.83 (Comcast)
81.241.142.65 (Skynet, Belgium)
84.221.72.240 (Tiscali, Italy)
98.203.97.27 (RoadRunner)
98.218.136.185 (Comcast)

Drilling into the individual IP addresses of these bots (presumed to be those of victim machines infected with the Asprox proxy Trojan), we find a combination of the following additional domain names:

appid37.com 
asp27.com
asp72.com 
bnradw.com
coldwop.com
script46.com  
ssl39.com
st212.com

Following the trail of coldwop.com, we then see the following additional IP addresses:

121.162.208.99 (Korea Telecom)
122.168.194.160 (Bharti BT Internet, India)
158.194.16.10 (CESNET, The Czech Republic)
190.198.164.140 (CANTV Servicios, Venezuela)
200.8.196.187  (LACNIC INTERCABLE)
24.44.191.232 (Optimum Online)
61.228.174.36 (HiNet)
66.208.64.16  (Wood County Telephone Company)
67.81.36.254 (Optimum Online)
68.202.106.222 (RoadRunner)
68.60.207.107 (Comcast)
68.60.21.17 (MediaOne)
72.193.246.29  (Cox)
74.72.162.187 (RoadRunner)
75.129.134.139 (Charter)
75.137.93.12 (Charter)
76.248.75.3 (SBC)
79.184.46.181 (TPNET, Poland)
81.226.98.114 (TeliaSonera, Sweden)
82.37.41.96 (Telewest Broadband, UK)
83.5.214.55 (TPNET, Poland)
84.100.58.73 (LDCOM Networks)
84.70.156.154 (Energis, UK)
89.125.145.183 (Irish Broadband, Ireland)
98.223.148.103 (Comcast)
98.226.58.205 (Comcast)
98.30.3.9 (RoadRunner)
98.30.3.9 (RoadRunner)

And following the trail further reveals additional domain names and IP addresses of Asprox bots behind these attacks. This virtual walkthrough goes on and on; you quickly begin to get an idea of how large - and how global - the Asprox botnet really is.

AuthorMary Landesman | CommentPost a Comment | DateFriday, June 27, 2008 at 09:35AM

Reader Comments

There are no comments for this journal entry. To create a new comment, use the form below.

PostPost a New Comment

Enter your information below to add a new comment.

My response is on my own website »
Author Email (optional):
Author URL (optional):
Post:
 
Some HTML allowed: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <code> <em> <i> <strike> <strong>
Alert
Comment Moderation Enabled
Your comment will not appear until it has been cleared by a website editor.

Notify me of follow-up comments via email.