Archive for the ‘Adware’ Category

« Older Entries

Is Someone Stealing Your Search Queries? Why Might They do That?

Friday, January 22nd, 2010

Banload is a malware name that is typically associated with banking trojan downloaders, but the Banload-detected sample covered in this post is a bit different than the norm.  The MD5 hash for this sample is 707D3477CBBEAD4923B17CE353D9761D. And, just to note, currently click fraud is reported elsewhere to challenge even the biggest, most technologically advanced online advertising companies. Some of the up-and-comers are committed to studying low intensity search abuse schemes as well.

Initially this DLL is loaded with regsvr32.exe, in order to perform an installation.  It installs a GUID in the “Browser Helper Objects” registry key which tells Internet Explorer where to find the DLL on disk.  Next it installs an executable (ctfmon_qj.exe) which will start any time the ctfmon.exe executable is launched.  It does this by inserting a “Debug” registry value in the “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe” registry key.  This causes ctfmon_qj.exe to be launched instead of ctfmon.exe, as it is being treated as the “debugger” for ctfmon.exe.

Ctfmon_qj.exe, when run, launches the actual ctfmon.exe; then proceeds to launches Internet Explorer.  This would guarantee that the browser helper object is loaded as soon as ctfmon.exe executes.  Once loaded, the DLL sits in Internet Explorer waiting for someone to navigate to a URL, such as clicking the “Search” button on google.com.  The destination URL is then scanned by the BHO for live.com, yahoo.com, and google.com.  If one of these domains are found in the URL, it starts looking for the search term, which is usually prefaced with something like, “&q=TERM” in Google’s case, or “&p=TERM” in Yahoo’s. It then harvests these query terms for later use and possibly evasion of click fraud detection algorithms.

After the term is found, a connection is made to takeasearch .com and the Bho sends the search term and a machine identification number, which is derived from your primary hard disk’s serial number.  The information that the takeasearch .com site returns tells the BHO what to do next.  There are several commands that can be returned from the web presence: DL:, GO:, REF: and OK:.

The first code path for the Bho to take depends on the returned data containing “DL: URL”. The BHO will send an Http GET to the URL as specified by the “DL:” command, saving the response to a file in the “C:\Program Files” directory, naming it “KB%i.exe”. The %i represents a random number generated by the rand() function.  The downloaded file is then executed via the ShellExecute() API.

If the response contains “GO: “, followed by a URL, the browser will be redirected to that URL.  There is also a timer that runs within Internet Explorer that will control the malware’s launch of a new instance of IE. This instance of  Internet Explorer is launched with a hidden window, so the browser runs on the system without the user’s consent or knowledge. The hidden browser will periodically connect to searchaccelerator .net with the machine identification token. As witnessed with the takeasearch .com result, if a “GO: ” response is provided to the hidden browser, it will be sent to several addresses that redirect the browser to its final destination. This final destination page is covered with ads that reportedly are “pay per impression” with revenues split between affiliates.

Here’s a sample conversation from the “hidden” Internet Explorer window. It is full of redirection:

1) GET http ://searchaccelerator .net/qi3.php?YBNz(shortened)
SERVER HTTP RESPONSE:
REF:http ://totalfinder .info/ search.php?q=Insurance%20recovery%20cars|GO:http ://totalfinder. info/clicks?719578181|DST:comparedby.us1234|RVER:80|TIMW:8|

We can see that the response contains several pieces of information, delimited by the vertial-pipe character. All of this information specifies the queries that the malware running on the user’s system is to carry out. The REF field tells the BHO to set the “Referrer: ” http header to the specified URL when sending a GET to the target URL, specified by the GO field.  The DST field is the browser’s final destination.

2) GET http ://totalfinder .info/ clicks?719578181
SERVER HTTP RESPONSE:
HTTP/1.1 302 Found
Server: Apache/1.3.41 (Unix) PHP/5.2.9
Location: http: //totalfinder .info/ search.php?q=Insurance%20recovery%20cars&sess=719578181

We can see in the response that the web server at totalfinder .info has redirected the browser via the “302/Found” HTTP response code to the next url. This subsequent url is also on the totalfinder .info domain, but this time, we observe high value search terms present in the URL itself: “Insurance recovery cars”. The redirection contains additional information, in our labs, we observed that these queries were most likely harvested from other infected systems, in an effort to randomize the redirected query terms.

3) http ://totalfinder .info/search.php?q=Insurance%20recovery%20cars&sess=719578181
SERVER HTTP RESPONSE:
<html><body><form name=”formrfgz” action=”http://68.169.70. 144/ go.php” method=”GET” target=”_top”><input type=”hidden” name=”c” value=”—truncated for brevity—”></form><script language=”JavaScript”>formrfgz.submit();</script></body></html>

On the third leg of redirections, we can see the that we actually load a regular web page with some html and a javascript.  On this page there is a form, with an action attribute that contains a URL to which the formrfgz.submit() function will tell the direct the browser to fetch this url.

4) http://68.169.70. 144/ go.php?c=truncated-for-brevity-again
SERVER HTTP RESPONSE:

HTTP/1.1 302 Moved Temporarily
Server: nginx
Content-Type: text/html
Location: http ://3151.90539.discover-facts .com/jump1/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars&sid=TRUNCATED&a=zh5&mr=1&rc=0

Again, we see another 302 status redirect to a different URL.

5) GET http ://3151.90539.discover-facts .com/jump1/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars&sid=TRUNCATED&a=zh5&mr=1&rc=0
SERVER HTTP RESPONSE:

<script language=”javascript”>
function v3clicktoit ()
{
document.clickit.submit();
}
</script>

<body bgcolor=”#FFFFFF” OnLoad=”Javascript:v3clicktoit()”>
<form name=”clickit” method=”POST” action=”/jump2/?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars”>
<input type=”hidden” name=”kw” value=”insurance recovery cars”>

The fifth redirect loads a regular webpage as was seen in redirect 3, and it uses the same submit() javascript function to direct the browser to “POST” the form, to the next URL.

6) http://3151.90539.discover-facts .com/jump2/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars
SERVER HTTP RESPONSE:
<frame name=’target’ src=”http ://r.looksmart .com/og/ ad=725195471;ag=732989664;kw=930857280;qt=insurance%20recovery%20cars;ip=127.0.0.1;geo=0;vid=0;rm=|http ://www.comparedby .us/ lander.aspx?pmkeyword=insurance%20recovery%20cars&referrer=looksmart-a&camp=Moxy+H+RON&group=Moxy+H+RON&keyword=insurance%20recovery%20cars”>

As we near completion of our redirects, we can see a frame on this page, which loads the ‘target’ url which is on the r.looksmart .com domain.  It contains many parameters in the URL, which was shortened a bit, but still shows some of the interesting pieces of information being passed along.  From what we’ve seen thus far, we can speculate that there is an advertisement id, advertisement group, keyword id, query term, the computers external IP address, geological location id, and a the destination URL.

7) http ://r.looksmart .com/og/ …
RESPONSE:
HTTP/1.1 302 Found
Location: http ://www.comparedby .us/ lander.aspx?pmkeyword=insurance%20recovery%20cars&referrer=looksmart-a

After this last “Found” redirect, we arrive out our destination. Here is a list of final destinations for the Bho and hidden IE process, and matching query terms returned by the servers:

iaf .net — injury lawyer
yb .com — maricopa employment
theyellowpages .com — car insurance quotes
comparedby .us — sewing material
theyellowpages .com — fish window cleaning
comparedby .us — memory tattoos
glimpse .com — QUEST SECURITY
allthebrands .com — sowing machine
yellowpages.lycos .com — teleflora
hotjobs .com — lyrics to anberlin unwinding cable car
hotjobs .com — mortgage companys in brownsville
theproductdepot .net — where does ivy tech culinary arts program rank
healthline .com — commercial locksmiths contra costa
yellowbook .com — will st johns wort stop pantic attacks
freepornvideos .com — anniversary party
hilcoind .com — scoliosis
longmontflorist .com — hall funeral home
milehigh-harley .com — www rentals
comparedby .us — advanced driver improvement

In all search queries above, the common points of redirect are 206.161.121. 110, 68.169.70. 144, local-search-pages .com, discover-facts .com, find-dozens .com.  Not coincidentally, all of the domains hide behind the same privacy registration service, making whois registration information unavailable.

In some instances, the search query is handed off to pay-per-click advertising sites and in others it passes the search directly to a site with an affiliate-id. It’s a complicated trail to follow, considering all of the redirections and affiliates, but the end result is artificially generated traffic to ad-serving sites. And stealing real search queries, misspellings and all, help to create data that best replicates input from a real online “consumer”.

Posted in Adware, Bot, Click Fraud, Crimeware, Downloader, Dropper | 4 Comments »

FakeAv Settlement

Thursday, July 2nd, 2009

The Ftc recently settled against a FakeAv purveyor. While this settlement won’t remove all of the variants out there, it is welcome news nonetheless with ongoing progress and the caselist here. The fewer distributors of XP Antivirus the better: “The two settling defendants were part of a massive deceptive advertising scheme that tricked more than a million consumers into buying “rogue” computer security products, including WinFixer, WinAntivirus, DriveCleaner, ErrorSafe, and XP Antivirus, according to the FTC’s complaint.” ThreatFire users were protected from a number of these scareware software packages, including XP Antivirus, in high volumes within the community back in mid-2008 and earlier.

The FTC’s complaint from December calls this stuff scareware, also called “rogueware”. It’s amazing how many users really fell for and continue to fall for this stuff, and then cannot get their money back. According to the complaint:
“Unaware of the Defendants’ trickery, more than one million consumers have purchased the Defendants’ software products to cure their computers of the non-existent problems “detected” by the Defendants’ fake scans…
Although some consumers later realize they have been defrauded by Defendants and attempt to seek refunds, Defendants routinely delay, obstruct and refuse to honor such requests.”

Posted in Adware, FakeAlert, Rogueware, Social Engineering, cybercrime | No Comments »

Podmena, podmena.dll and podmena.sys = spoof, spoof.dll, spoof.sys

Thursday, June 18th, 2009

We have been investigating and analyzing a variety of malicious components delivered from some recent downloaders. Some of the filenames stand out as unusual. In particular, “podmena”,
which translates from russian to english as “Substitution or replacement made in a covert way (”pod” – “sub” or “under”, sort of under cover; “mena” – the root of word exchange); thus, it often stands for “spoof”, “fake”, etc. “Spoof”. It is fitting.

The two “podmena” files dropped by the phony codec/viewer installs seem to be gathering much interest and gaining prevalence. They’ll be discussed here and the post itself will be updated with new information as it is uncovered.

First off, the files are dropped as one of the may payloads during the phony codec downloader attacks described in previous posts here, here and here. The components seem to be a part of a click fraud scheme and a way to generate potentially artificial traffic volume to several search engines, including bee-find.com, missngpage.com, 102.123bounce.com, and www.search.pro.

Podmena.dll gets registered as a ServiceDll to be run via svchost.exe -k podmena.dll.
Podmena.sys is installed as a kernel driver to run at startup and attaches to \Device\Tcp, intercepting all tcp related IRPs.

The Dll upon startup sends a DeviceIoControl() request to the driver opened on \\.\podmena\. The initial IO control code tells the driver to monitor outbound tcp port 80, and redirect all packets to 127.0.0.1:8085. Then, the dll sends a second io control code to the driver, which activates the forwarding.

The Dll will create a bound listening port on 8085 which now acts as an HTTP proxy for all outbout port 80 traffic. Upon packet reception (after it is redirected by the driver), the Dll will scan the requested url for search keywords based on the domain name of the request. (ie: search.yahoo, google, youtube, yahooapis, metacafe, sugg.search, aolcdn, etc)

When a keyword is found, it will submit the text to its parent controller (the binaries that we have seen hard code “zz-dn.com”, which is unavailable, and then falls back to 85.13.236.134, an ip hosted in London). Depending on some timing randomization, the Dll will then load up and send the web browser to urls based on the response it receives back from this parent controller.

In our lab, subsequent requests were sent to a variety of sites, with all of these sites hosting a variety of ads, even without visiting a search engine. The svchost process loaded up with podmena.dll can visit hundreds of sites approximately every ten minutes, depending on the instruction response it receives.

Oddly, we have not seen higher target moneymakers like banking userid’s and passwords stolen by these components.

Posted in Adware, Click Fraud | No Comments »

« Older Entries