Daily cyber threats and internet security news: network security, online safety and latest security alerts
July 18th, 2008

Asprox Botnet Mass Attack Hits Governmental, Healthcare, and Top Business Websites

During the first two weeks of July 2008, Finjan detected over 1,000 unique Website domains that were compromised by Asprox toolkit attack. Each of the compromised domains included a reference to a malware that was served by over 160 different domains across the Internet. Since the list of these malware serving domains increases every day, this might be just the tip of the iceberg for the scope and impact of this attack.

Among the compromised websites Finjan found websites of respectable organizations, governmental institutes, healthcare organizations and other high-ranked websites. The malicious code is still being served by most of the websites and the toolkit is still in use.

Among the many websites that were compromised, there are various advertisement networks that were also used to direct users to compromised advertisements. One of the advertisement networks was, which Microsoft plans to acquire as part of Microsoft’s Advertiser and Publisher Solutions Group.

Among compromised legitimate websites (on some of them the malicious code no longer exists) there are government websites:, the official website of the City of Marysville, registered by Marysville Police Department., the official website of the cultural data bank of the Department of Culture and Tourism of the State of Bahia, Brazil., official website of the government of the City and County of San Francisco.

Compromised healthcare websites:, the official website of the National Health Service in the UK., the official website of the South African Medical Association.

Other compromised legitimate websites:, one of the largest soft drink makers in the US, official website of the University of California

The Baltimore Times Website

BMW official site in Mexico

Compromised sites have a piece of JavaScript (JS) embedded in them, which in turn points to another JS file on a seperate domain. These domains are part of a fast-flux network hosted on the botnet itself, a technique widely used by another well-known Storm botnet.

The attack toolkit is designed to inject a <script> tag into legitimate [.asp] webpages. Each of the 160 different domains hosting .js points to the location of the malicious file which was unique to each and every one of them. The malicious script exploits several vulnerabilities on the victim’s machine in order to heighten the chances for successful exploitation: MDAC Vulnerability, QuickTime rtsp Vulnerability, AOL SuperBuddy ActiveX Control Code Execution Vulnerability. Upon successful exploitation, a Trojan is downloaded and executed on the victim’s machine.

Share this item with others:

More on CyberInsecure:
  • Phishing Botnet Expands By SQL Injecting Websites Found In Google
  • Stolen Business And Personal Data Found On Open Botnet Server
  • Massive Botnet DDoS Attack Hits
  • Laptop With Siemens Healthcare Diagnostics Employees Details Stolen
  • Hundreds Of Websites Hosted At Network Solutions Defaced

  • If you found this information useful, consider linking to it from your own website.
    Just copy and paste the code below into your website (Ctrl+C to copy)
    It will look like this: Asprox Botnet Mass Attack Hits Governmental, Healthcare, and Top Business Websites

    One Response to “Asprox Botnet Mass Attack Hits Governmental, Healthcare, and Top Business Websites”

    1. This virus took my site offline for 3 weeks and I had to seek an internet security company to fix my site.

      It cost me £50 but well worth it after the hastle I have had!!

    Leave a Reply

    Comments with unsolicited links to other resources will be marked as spam. DO NOT leave links in comments. Please leave your real email, it wont be published.

    To prove you’re a person (not a spam script), type the security word shown in the picture. Click on the picture to hear an audio file of the word.