When a small phishing gang decides to upgrade its infrastructure, it is often done in a quick and dirty fashion. The transition is almost immediate, and often buggy and unprofessional. But what happens when a gang on the scale of the Rock Phish group decides to abandon its old methods and upgrade its botnet infrastructure? It is done slowly, smoothly but most importantly — professionally.
The RSA FraudAction Research Labs recently gathered information that indicates major changes in the tactics employed by the Rock Phish gang. We have reason to believe that the gang is replacing its phishing infrastructure, and upgrading it to an advanced Fast-Flux botnet. We also believe that this new infrastructure belongs to none other than the infamous Asprox Botnet, which has recently been spreading itself using surges of SQL injection attacks.
Our observations began in early-April 2008, when we first noticed some developments within the Rock Phish attack structure, as the gang introduced the Zeus (aka. WSNPOEM) Trojan as part of its phishing attacks. Zeus was not the only malware used by the Rock Phish gang, however. A short time after the Zeus variant appeared, the gang replaced Zeus and “padded” its attacks with custom-made and more sophisticated crimeware. The evolution continued, and we observed that the crimeware’s Command & Control (‘C&C’) server was also infecting users with another piece of malware — a botnet client.
The botnet client was an interesting milestone in recent crimeware developments from the Rock Phish gang. At first, the botnet performed only common functions such as creating a SOCKS proxy server which allows the fraudster to use the Internet connection of the infected user for whatever he or she likes, and acts as an engine to collect information regarding the type of anti-virus software that is installed on the victim’s computer. We are still curious as to the incentive to collect this information; our tests at the time revealed minimal detection rates of the botnet malware by different anti-virus solutions.
On further research of this new botnet client, we noticed that it was spreading itself independently, not just through the users who were infected by the custom Rock Phish crimeware. Research of the infection method revealed that the infection kit was none other than Neosploit — a highly sophisticated tool which is very familiar to us and was reviewed in our previous post.
It became obvious that something big was cooking. When a serious online crime gang such as Rock Phish makes massive changes to its infrastructure and methods of attack, by introducing a custom-made botnet client and crimeware, it rarely sends the market a peaceful message of “we give up, we’re old, we’ve got rich and it’s time to move on”. Quite the opposite, in fact.
Now, about that Asprox botnet
The Asprox botnet is already “famous” and has been well documented in the industry for its massive SQL injection attacks — excellent information already exists. Asprox launched numerous SQL injection attacks on legitimate web servers, infecting them with IFrames that lead users to download the Asprox malware, recruiting additional PCs into the botnet.
When researching the servers used by the Rock Phish gang for its recent crimeware infection campaigns, we noticed that the C&C server of the custom Rock Phish crimeware (which was also the C&C server of the newly-introduced botnet client) had exactly the same directory structure of the emerging Asprox servers from which the Asprox botnet malware was downloaded at the time. And when we say “the same directory structure”, we do not only mean system directories — we mean that the Rock Phish attacks and the Asprox botnet were likely to be using at least one common server!
Recently, we also noticed a decrease in the number of phishing attacks hosted on the “classic” Rock Phish network. In parallel, an increasing number of phishing attacks were hosted on the Asprox botnet, which until now was used solely for SQL injection and Trojan infections. By our tracking, the decrease in classic Rock Phish attacks overlaps with the increase in attacks hosted on the Asprox botnet.
Circumstantial? Perhaps, but we believe it is not. We suspect this stage completes an upgrade from the outdated Rock Phish botnet to the highly-advanced fast-flux network, known until now as Asprox.
Moreover, the phishers who now use the Asprox botnet use a similar technique to that of classic Rock Phish attacks — multiple domains are registered within a short time frame, and each domain hosts attacks against multiple targets (using different folders). Classic Rock Phish attacks always targeted multiple brands using a single domain.
Current state of affairs
Asprox gradually began qualifying infected users, choosing candidates with reliable Internet connectivity and selecting them to serve as content proxies for either additional botnet infections and/or hosting phishing attacks. This has marked the completion of the construction stage. We suspect the Rock Phish gang now has an up-to-date, highly reliable fast-flux network to be used for whatever they need — a major upgrade from the previous simplistic proxy client used before.
Today, Asprox hosts infection pages, phishing attacks and mule recruitment websites. It continues its activity of searching for vulnerable websites, and planting its malicious IFrames via drive-by infection — and it continues to grow.
We firmly suspect that Asprox is the botnet currently in use by the Rock Phish gang.
RSA FraudAction Team