Backdoor:ASP/Aspy.A

Backdoor:ASP/Aspy.A is a backdoor trojan, written in ASP.Net, that allows unauthorized remote access and control of an affected computer or server.

Installation

Backdoor:ASP/Aspy.A may be present on a compromised host as a file with .ASP file extension and stored in a directory containing web pages to allow to a remote attacker via a web browser and Internet connection. The following file names are examples of the trojan as found in the wild:

• action_refresh.aspx
• pw.aspx
• plugins.aspx
• legion.aspx;jpg
• cmd.aspx
• iskox.aspx
• css.aspx
• ASPXspy2.aspx

When the trojan page is accessed, it requests a logon to gain access to a control session. The default password for the trojan is 'admin'.

Payload

Allows unauthorized remote access and control
Once logged in, the trojan could provide the following functionality against a compromised computer or server:

• File management - this includes download, upload, edit, copy, rename, delete files
• Directory management - this includes create, rename and delete directories
• Execute any command through cmd.exe
• Extract IIS user credentials
• List processes and services
• List detailed information of users and system configuration (includes domain, IP, OS version, CPU etc.)
• File search and replace
• Serv-U privilege escalation exploit
• list registry keys and values
• port scanner
• MSSQL and Microsoft Access database access
• TCP port redirection

Analysis by Shawn Wang