Archive for the ‘Click Fraud’ Category

@stealyourmoney — TweetFace Has a Tinyurl 4u

Friday, July 10th, 2009

Koobface joined the Twittersphere, and the Twittersphere is fighting back. It’s good to see response from the social networking infrastructure.

Koobface has been distributed in prevalence for around a year now, with the ThreatFire community confident all along that their information is safe from the threat. In other words, if you want to keep it off of your system, careful of what you download and add a behavioral solution like ThreatFire to your system’s security layers.

The Koobface family has been distributed in a couple of ways since June/July 2008, increasing its prevalence to significant volumes in December of last year. It started out as a standalone worm menacing the massive volumes of social networking users across a handful of social networks, defeating captcha, and downloading more malware to compromised systems. Now, it is more frequently distributed as part of a malware package by attacking sites, alongside other payloads delivered by exploit pages hosted by malicious web sites: Virut, click fraud components, spambots (Waledac) and scareware. Koobface can be a secondary method of propagation for these various malware distribution groups.

So it was only a matter of time before the developers figured out that Twitter is another popular Web 2.0 medium. They also figured out that Tinyurl is one way to obfuscate malicious urls and distribute these urls across tweets.

These urls lead to the standard phony codec pages that is a trademark of the group. This time you’ll see “Video posted by -WizArD-”, the site remains up:

When setup.exe is downloaded and run from 98.217.161.163, the user of course does not install an Adobe Flash Player Update as promised. Instead, they get an updated version of the Koobface worm. Along with the worm, the compromised system eventually is redirected to a FakeAv offer, so the group can make its money:

This morning, accounts tweeting the “My home video :) ” message with a tinyurl leading to the “Video posted by -Wizard-” are receiving some cleanup attention:

The Tinyurl has been disabled as well.

Posted in Click Fraud, Koobface, Rogueware, Spam, Virut | No Comments »

Podmena, podmena.dll and podmena.sys = spoof, spoof.dll, spoof.sys

Thursday, June 18th, 2009

We have been investigating and analyzing a variety of malicious components delivered from some recent downloaders. Some of the filenames stand out as unusual. In particular, “podmena”,
which translates from russian to english as “Substitution or replacement made in a covert way (”pod” – “sub” or “under”, sort of under cover; “mena” – the root of word exchange); thus, it often stands for “spoof”, “fake”, etc. “Spoof”. It is fitting.

The two “podmena” files dropped by the phony codec/viewer installs seem to be gathering much interest and gaining prevalence. They’ll be discussed here and the post itself will be updated with new information as it is uncovered.

First off, the files are dropped as one of the may payloads during the phony codec downloader attacks described in previous posts here, here and here. The components seem to be a part of a click fraud scheme and a way to generate potentially artificial traffic volume to several search engines, including bee-find.com, missngpage.com, 102.123bounce.com, and www.search.pro.

Podmena.dll gets registered as a ServiceDll to be run via svchost.exe -k podmena.dll.
Podmena.sys is installed as a kernel driver to run at startup and attaches to \Device\Tcp, intercepting all tcp related IRPs.

The Dll upon startup sends a DeviceIoControl() request to the driver opened on \\.\podmena\. The initial IO control code tells the driver to monitor outbound tcp port 80, and redirect all packets to 127.0.0.1:8085. Then, the dll sends a second io control code to the driver, which activates the forwarding.

The Dll will create a bound listening port on 8085 which now acts as an HTTP proxy for all outbout port 80 traffic. Upon packet reception (after it is redirected by the driver), the Dll will scan the requested url for search keywords based on the domain name of the request. (ie: search.yahoo, google, youtube, yahooapis, metacafe, sugg.search, aolcdn, etc)

When a keyword is found, it will submit the text to its parent controller (the binaries that we have seen hard code “zz-dn.com”, which is unavailable, and then falls back to 85.13.236.134, an ip hosted in London). Depending on some timing randomization, the Dll will then load up and send the web browser to urls based on the response it receives back from this parent controller.

In our lab, subsequent requests were sent to a variety of sites, with all of these sites hosting a variety of ads, even without visiting a search engine. The svchost process loaded up with podmena.dll can visit hundreds of sites approximately every ten minutes, depending on the instruction response it receives.

Oddly, we have not seen higher target moneymakers like banking userid’s and passwords stolen by these components.

Posted in Adware, Click Fraud | No Comments »