Archive for the ‘Click Fraud’ Category

« Older Entries

FBI IC3 2009 Report

Saturday, March 13th, 2010

The Fbi released its Internet Crime Complaint Center (IC3) 2009 report. The organization maintains that cyberfraud losses reported to them doubled year over year.

The report contains what appears to be significant changes. The report includes mention of the FakeAv scams that have plaqued users over the past couple of years. Another friend just brought in a laptop screaming “Your system is infected!” yesterday, most likely due to a banner ad drive-by. At this point, it’s hard to believe that the fraud is not occuring on a large enough scale to quantify the criminal activity.

The report provides list of the most common complaints that the IC3 received in 2009, including spam, identity theft, credit card fraud, and computer damage, all things that an additional layer of protection like ThreatFire effectively helps protect your system against.

Complaints of internet crime, including spam and fraud, should be filed here, in addition to making other appropriate contacts. They can’t report on what is not filed.

Posted in Click Fraud, Crimeware, Fbi, Government and Cybersecurity, Incident, Rogueware, Scams and Monetization, Spam, Uncategorized, cybercrime | No Comments »

Click Fraud II

Wednesday, March 10th, 2010

Click fraud is a lot like shoplifting. It’s not the most shocking crime you know of, and it’s not really victimless. It is theft. But observing and identifying click fraud is more difficult than watching a kid slip an unpaid-for candy bar or magazine into their pocket. It’s also a cost of business that burdens all customers of a business. Ugly.

There are a lot of technical details to understand about click fraud, and even more that go into evading click fraud sensors. A previous post details how one group camouflages their bot generated queries from fraud monitoring systems by stealing search terms from live humans on infected systems and then re-uses them.

This post will set out to describe another set of click fraud components and activity used by a financially motivated group distributing Zbot and FakeAv in addition to the click fraud components. The group expends considerable effort to distribute their crimeware packages and consistently use blackhat Seo tactics and crack sites. They implement polymorphic malware executables to evade AV scanners on victims’ desktops and anti-reversing and encryption technology to foil analysis. Their click fraud, most likely generating lower revenues than their Zbot and FakeAv activity, probably is more stable and helps keep their money mules, web operators and developers paid, and potentially keeps potential domain squatting sites paid for. They appear to act as a well run money making organization. We also know that the click fraud components are delivered alongside “Alureon/TDSS/Tidserv” drivers, so they are not the only ones spreading the stuff.

A couple of ad-network affiliate related terms and concepts to understand: CPM (cost-per-impression) and CPC (cost-per-click). They are what drive advertising and payouts for ads on the web pages you view. For example, when you browse an online radio web site and it displays an ad for online movie rentals, it’s most likely not because the radio station has a contract with the online movie rental store to display its ads. Instead, they make a deal with an “online media company” with an affiliate program to display whatever ads they provide to them to display. When 1,000 users see the ads on the radio site’s web pages, the ad network pays out a small sum of cash to the operator of the website. The more impressions or views, the higher the payout. Technical details relevant to click fraud of syndiation, sub-syndication and referral deals in Neil Daswani, et al Clickbot.A paper here.

Knowing this simple setup leads to payouts, these cheats looking for easy cash attempt to set up phony web sites hosting ad banners, then infect large numbers of systems with click fraud components (alongside the Zbot spyware and FakeAv), and visit various pages and ads from these infected systems repeatedly. In our lab, these click bots hit banner ads at random rates. Sometimes, they would hit four per minute, wait a couple of hours, and then move on to other sites, where odd videos and pictures are haphazardly posted alongside ad banners. Usually, they would start at a site hosting a slew of bizarre videos, like this one.

The advertised images included ads from tire and tune shops, some restaurants, RV and trailer exchange sites, ringtone sellers, an ad council, singles sites, and many more. Let’s take a look at the components and the network traffic. The main executable performing the click fraud activity most often goes by the file name “msa.exe”, although the file name for the malware is fairly arbitrary over time, and weigh in at approx 100-200 kb. As mentioned above, distributors get the executable onto target systems via blackhat Seo tactics, P2P sharing and crack sites.

Once running, the msa.exe code connects back to one of several sites that have changed over the past several months to exchange initial request information. For example, the malware POSTs data collected from the system to a hard-coded web server address; in January and February, several of the servers’ online locations were fgage. com, tooldawn. com, bestalias. com, iepil. com, and theastic. com. The physical location of the servers themselves seems to move, sometimes in Canada or the US, between major hosting sites. The encoded response to the msa.exe POST is received by msa.exe and copied to a .dat file. This response is decoded by the bot and the Urls to “click” are extracted. It is this list that the bot uses to fetch commands, sites and ads, knowing what Urls are “clickable” and what are available for impressions only, how long to pause between clicks, etc. The data is neatly xml formatted:

<root>…..<pause>15</pause>..<clickable>250</clickable>..<visible>100</visible>..<searchlimit>3600</searchlimit>..<time>126593</time>…
<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3008″ clickable=”252″>…<feed><![CDATA[http://ad.r----m
edia.com/st?ad_type=iframe&ad_size=468x60&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”23″ search=”100″ clicks=”1″ id=”3007″ clickable=”328″>…<feed><![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=300x250&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3005″ clickable=”280″>…<feed><![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=120x600&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”21″ search=”100″ clicks=”1″ id=”3006″ clickable=”227″>…<feed><
![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=160x600&section=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”25″ search=”30″ clicks=”1″ id=”3045″ clickable=”471″>

After extracting the urls to click, it then hits the web sites described earlier pasted over with oddball videos and images, hosting banner ads. An example from the many over the past few months is tu—aster. com:

tuster

 

After retrieving images and ads from this second site, request sequences often look like this one, which we’ve altered both for brevity’s sake and for privacy concerns, but allowed enough data to be recognized by fellow researchers:

hxxp://ad1.ad–vo. com/st?ad_type=iframe&ad_size=728×90&section=758786
     hxxp://ad2.ad–vo. com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://ad2.ad–vo. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
     hxxp://ad.yie—-nager. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
     hxxp://ad1.ad–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.ad–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://ad2.ad–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.as–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://ad.yie—-nager. com/iframe3?juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.ad–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://adserver.ad–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
     hxxp://adserver.ad–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;cfp=1;rndc=126635781;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
     hxxp://pagead2.g—-esyndication. com/pagead/show_ads.js
     hxxp://g—-eads.g.—–eclick. net/pagead/test_domain.js
     hxxp://pagead2.g—-esyndication. com/pagead/render_ads.js
     hxxp://g—-eads.g.—–eclick. net/pagead/ads?client=ca-pub-8175825562880389&output=html&h=90&slotname=8878168224&w=728&ea=0&flash=6.0.79.0&url=http%3A%2F%2Fad2.ad–vo.com%2Fst%3Fad_size%3D728×90%26ad_type%3Diframe%26–ler.com%2Fiframe3%0juvrDBw5kMNESk6cFF%3D%3D%2C%2Chttp%3A%2F%2Fad2.ad–vo.com%2Fst%3Fad_size%3D728×90%26ad_type%3Diframe%26fil%3Dgw%26section%3D758786&fu=0&ifi=1&dtd=218
     hxxp://g—-eads.g.—–eclick. net/pagead/imgad?id=CMSty_OwpaPOXxDYBRhPMggZu9r8MIRZeQ 

Also hit are any one of long lists of domains that at the time of writing are “parked”, or “squatted” domains:

 hxxp://collect—-ofcoloniesofbees. com/
hxxp://tra—-splay. com/movies.php
hxxp://aliv—-son. com/
hxxp://allcandlem—-g. com/
hxxp://ano—-look. net/
hxxp://—-l. com/
hxxp://—-l. net/
hxxp://apartm—-areus. com/
hxxp://apart—-toshare. com/
hxxp://abso—-look. com/
hxxp://a—-ake. com/
hxxp://ariz—-ades. com/
hxxp://a—-. com/
hxxp://ar—-. com/
hxxp://a—-. com/
hxxp://a—-look. org/

ThreatFire effectively protects against the deliver vector in the first place. It first targets the evasive downloader, poorly detected by AV engines, so Zbot, FakeAv, and these click fraud components never reach the system and the clickbot never runs.

Posted in Click Fraud, Crimeware, Rogueware, ZBot | No Comments »

Is Someone Stealing Your Search Queries? Why Might They do That?

Friday, January 22nd, 2010

Banload is a malware name that is typically associated with banking trojan downloaders, but the Banload-detected sample covered in this post is a bit different than the norm.  The MD5 hash for this sample is 707D3477CBBEAD4923B17CE353D9761D. And, just to note, currently click fraud is reported elsewhere to challenge even the biggest, most technologically advanced online advertising companies. Some of the up-and-comers are committed to studying low intensity search abuse schemes as well.

Initially this DLL is loaded with regsvr32.exe, in order to perform an installation.  It installs a GUID in the “Browser Helper Objects” registry key which tells Internet Explorer where to find the DLL on disk.  Next it installs an executable (ctfmon_qj.exe) which will start any time the ctfmon.exe executable is launched.  It does this by inserting a “Debug” registry value in the “SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ctfmon.exe” registry key.  This causes ctfmon_qj.exe to be launched instead of ctfmon.exe, as it is being treated as the “debugger” for ctfmon.exe.

Ctfmon_qj.exe, when run, launches the actual ctfmon.exe; then proceeds to launches Internet Explorer.  This would guarantee that the browser helper object is loaded as soon as ctfmon.exe executes.  Once loaded, the DLL sits in Internet Explorer waiting for someone to navigate to a URL, such as clicking the “Search” button on google.com.  The destination URL is then scanned by the BHO for live.com, yahoo.com, and google.com.  If one of these domains are found in the URL, it starts looking for the search term, which is usually prefaced with something like, “&q=TERM” in Google’s case, or “&p=TERM” in Yahoo’s. It then harvests these query terms for later use and possibly evasion of click fraud detection algorithms.

After the term is found, a connection is made to takeasearch .com and the Bho sends the search term and a machine identification number, which is derived from your primary hard disk’s serial number.  The information that the takeasearch .com site returns tells the BHO what to do next.  There are several commands that can be returned from the web presence: DL:, GO:, REF: and OK:.

The first code path for the Bho to take depends on the returned data containing “DL: URL”. The BHO will send an Http GET to the URL as specified by the “DL:” command, saving the response to a file in the “C:\Program Files” directory, naming it “KB%i.exe”. The %i represents a random number generated by the rand() function.  The downloaded file is then executed via the ShellExecute() API.

If the response contains “GO: “, followed by a URL, the browser will be redirected to that URL.  There is also a timer that runs within Internet Explorer that will control the malware’s launch of a new instance of IE. This instance of  Internet Explorer is launched with a hidden window, so the browser runs on the system without the user’s consent or knowledge. The hidden browser will periodically connect to searchaccelerator .net with the machine identification token. As witnessed with the takeasearch .com result, if a “GO: ” response is provided to the hidden browser, it will be sent to several addresses that redirect the browser to its final destination. This final destination page is covered with ads that reportedly are “pay per impression” with revenues split between affiliates.

Here’s a sample conversation from the “hidden” Internet Explorer window. It is full of redirection:

1) GET http ://searchaccelerator .net/qi3.php?YBNz(shortened)
SERVER HTTP RESPONSE:
REF:http ://totalfinder .info/ search.php?q=Insurance%20recovery%20cars|GO:http ://totalfinder. info/clicks?719578181|DST:comparedby.us1234|RVER:80|TIMW:8|

We can see that the response contains several pieces of information, delimited by the vertial-pipe character. All of this information specifies the queries that the malware running on the user’s system is to carry out. The REF field tells the BHO to set the “Referrer: ” http header to the specified URL when sending a GET to the target URL, specified by the GO field.  The DST field is the browser’s final destination.

2) GET http ://totalfinder .info/ clicks?719578181
SERVER HTTP RESPONSE:
HTTP/1.1 302 Found
Server: Apache/1.3.41 (Unix) PHP/5.2.9
Location: http: //totalfinder .info/ search.php?q=Insurance%20recovery%20cars&sess=719578181

We can see in the response that the web server at totalfinder .info has redirected the browser via the “302/Found” HTTP response code to the next url. This subsequent url is also on the totalfinder .info domain, but this time, we observe high value search terms present in the URL itself: “Insurance recovery cars”. The redirection contains additional information, in our labs, we observed that these queries were most likely harvested from other infected systems, in an effort to randomize the redirected query terms.

3) http ://totalfinder .info/search.php?q=Insurance%20recovery%20cars&sess=719578181
SERVER HTTP RESPONSE:
<html><body><form name=”formrfgz” action=”http://68.169.70. 144/ go.php” method=”GET” target=”_top”><input type=”hidden” name=”c” value=”—truncated for brevity—”></form><script language=”JavaScript”>formrfgz.submit();</script></body></html>

On the third leg of redirections, we can see the that we actually load a regular web page with some html and a javascript.  On this page there is a form, with an action attribute that contains a URL to which the formrfgz.submit() function will tell the direct the browser to fetch this url.

4) http://68.169.70. 144/ go.php?c=truncated-for-brevity-again
SERVER HTTP RESPONSE:

HTTP/1.1 302 Moved Temporarily
Server: nginx
Content-Type: text/html
Location: http ://3151.90539.discover-facts .com/jump1/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars&sid=TRUNCATED&a=zh5&mr=1&rc=0

Again, we see another 302 status redirect to a different URL.

5) GET http ://3151.90539.discover-facts .com/jump1/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars&sid=TRUNCATED&a=zh5&mr=1&rc=0
SERVER HTTP RESPONSE:

<script language=”javascript”>
function v3clicktoit ()
{
document.clickit.submit();
}
</script>

<body bgcolor=”#FFFFFF” OnLoad=”Javascript:v3clicktoit()”>
<form name=”clickit” method=”POST” action=”/jump2/?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars”>
<input type=”hidden” name=”kw” value=”insurance recovery cars”>

The fifth redirect loads a regular webpage as was seen in redirect 3, and it uses the same submit() javascript function to direct the browser to “POST” the form, to the next URL.

6) http://3151.90539.discover-facts .com/jump2/ ?affiliate=3151&subid=90539&terms=insurance%20recovery%20cars
SERVER HTTP RESPONSE:
<frame name=’target’ src=”http ://r.looksmart .com/og/ ad=725195471;ag=732989664;kw=930857280;qt=insurance%20recovery%20cars;ip=127.0.0.1;geo=0;vid=0;rm=|http ://www.comparedby .us/ lander.aspx?pmkeyword=insurance%20recovery%20cars&referrer=looksmart-a&camp=Moxy+H+RON&group=Moxy+H+RON&keyword=insurance%20recovery%20cars”>

As we near completion of our redirects, we can see a frame on this page, which loads the ‘target’ url which is on the r.looksmart .com domain.  It contains many parameters in the URL, which was shortened a bit, but still shows some of the interesting pieces of information being passed along.  From what we’ve seen thus far, we can speculate that there is an advertisement id, advertisement group, keyword id, query term, the computers external IP address, geological location id, and a the destination URL.

7) http ://r.looksmart .com/og/ …
RESPONSE:
HTTP/1.1 302 Found
Location: http ://www.comparedby .us/ lander.aspx?pmkeyword=insurance%20recovery%20cars&referrer=looksmart-a

After this last “Found” redirect, we arrive out our destination. Here is a list of final destinations for the Bho and hidden IE process, and matching query terms returned by the servers:

iaf .net — injury lawyer
yb .com — maricopa employment
theyellowpages .com — car insurance quotes
comparedby .us — sewing material
theyellowpages .com — fish window cleaning
comparedby .us — memory tattoos
glimpse .com — QUEST SECURITY
allthebrands .com — sowing machine
yellowpages.lycos .com — teleflora
hotjobs .com — lyrics to anberlin unwinding cable car
hotjobs .com — mortgage companys in brownsville
theproductdepot .net — where does ivy tech culinary arts program rank
healthline .com — commercial locksmiths contra costa
yellowbook .com — will st johns wort stop pantic attacks
freepornvideos .com — anniversary party
hilcoind .com — scoliosis
longmontflorist .com — hall funeral home
milehigh-harley .com — www rentals
comparedby .us — advanced driver improvement

In all search queries above, the common points of redirect are 206.161.121. 110, 68.169.70. 144, local-search-pages .com, discover-facts .com, find-dozens .com.  Not coincidentally, all of the domains hide behind the same privacy registration service, making whois registration information unavailable.

In some instances, the search query is handed off to pay-per-click advertising sites and in others it passes the search directly to a site with an affiliate-id. It’s a complicated trail to follow, considering all of the redirections and affiliates, but the end result is artificially generated traffic to ad-serving sites. And stealing real search queries, misspellings and all, help to create data that best replicates input from a real online “consumer”.

Posted in Adware, Bot, Click Fraud, Crimeware, Downloader, Dropper | 4 Comments »

« Older Entries