Archive for the ‘ZBot’ Category

Troyak-AS De-peered for Good?

Thursday, March 11th, 2010

The victory over dozens of Zeus botnets that was declared over the past couple of days may have been premature, as the Troyak-AS upstream provider that was de-peered from its upstream providers was busy finding new peers to the internet. Yet another check shows that the provider succeeded in regaining connectivity, and only two of the ISP’s that are home to handfuls of Zeus C&C’s are withdrawn (as of 11:30 a.m. Mountain Time 3/11/2010):

50215 TROYAK-AS Starchenko Roman Fedorovich

  Adjacency:     5  Upstream:     1  Downstream:     4
  Upstream Adjacent AS list
    AS8342          RTCOMM-AS RTComm.RU Autonomous System

With the original de-peering, it was thought that 68 monitored Zeus C&C’s were disconnected from the net. But, of the six ISP’s hosting almost five dozen Zeus C&C’s, only two remain de-peered, leaving 43 monitored Zeus C&C up and running. We hope to see these come down soon. In the meantime, ensure that a protective layer like ThreatFire is installed on your system, effective against Zbot attacks. And cheers to the awesome zeustracker site.

Click Fraud II

Wednesday, March 10th, 2010

Click fraud is a lot like shoplifting. It’s not the most shocking crime you know of, and it’s not really victimless. It is theft. But observing and identifying click fraud is more difficult than watching a kid slip an unpaid-for candy bar or magazine into their pocket. It’s also a cost of business that burdens all customers of a business. Ugly.

There are a lot of technical details to understand about click fraud, and even more that go into evading click fraud sensors. A previous post details how one group camouflages their bot generated queries from fraud monitoring systems by stealing search terms from live humans on infected systems and then re-uses them.

This post will set out to describe another set of click fraud components and activity used by a financially motivated group distributing Zbot and FakeAv in addition to the click fraud components. The group expends considerable effort to distribute their crimeware packages and consistently use blackhat Seo tactics and crack sites. They implement polymorphic malware executables to evade AV scanners on victims’ desktops and anti-reversing and encryption technology to foil analysis. Their click fraud, most likely generating lower revenues than their Zbot and FakeAv activity, probably is more stable and helps keep their money mules, web operators and developers paid, and potentially keeps potential domain squatting sites paid for. They appear to act as a well run money making organization. We also know that the click fraud components are delivered alongside “Alureon/TDSS/Tidserv” drivers, so they are not the only ones spreading the stuff.

A couple of ad-network affiliate related terms and concepts to understand: CPM (cost-per-impression) and CPC (cost-per-click). They are what drive advertising and payouts for ads on the web pages you view. For example, when you browse an online radio web site and it displays an ad for online movie rentals, it’s most likely not because the radio station has a contract with the online movie rental store to display its ads. Instead, they make a deal with an “online media company” with an affiliate program to display whatever ads they provide to them to display. When 1,000 users see the ads on the radio site’s web pages, the ad network pays out a small sum of cash to the operator of the website. The more impressions or views, the higher the payout. Technical details relevant to click fraud of syndiation, sub-syndication and referral deals in Neil Daswani, et al Clickbot.A paper here.

Knowing this simple setup leads to payouts, these cheats looking for easy cash attempt to set up phony web sites hosting ad banners, then infect large numbers of systems with click fraud components (alongside the Zbot spyware and FakeAv), and visit various pages and ads from these infected systems repeatedly. In our lab, these click bots hit banner ads at random rates. Sometimes, they would hit four per minute, wait a couple of hours, and then move on to other sites, where odd videos and pictures are haphazardly posted alongside ad banners. Usually, they would start at a site hosting a slew of bizarre videos, like this one.

The advertised images included ads from tire and tune shops, some restaurants, RV and trailer exchange sites, ringtone sellers, an ad council, singles sites, and many more. Let’s take a look at the components and the network traffic. The main executable performing the click fraud activity most often goes by the file name “msa.exe”, although the file name for the malware is fairly arbitrary over time, and weigh in at approx 100-200 kb. As mentioned above, distributors get the executable onto target systems via blackhat Seo tactics, P2P sharing and crack sites.

Once running, the msa.exe code connects back to one of several sites that have changed over the past several months to exchange initial request information. For example, the malware POSTs data collected from the system to a hard-coded web server address; in January and February, several of the servers’ online locations were fgage. com, tooldawn. com, bestalias. com, iepil. com, and theastic. com. The physical location of the servers themselves seems to move, sometimes in Canada or the US, between major hosting sites. The encoded response to the msa.exe POST is received by msa.exe and copied to a .dat file. This response is decoded by the bot and the Urls to “click” are extracted. It is this list that the bot uses to fetch commands, sites and ads, knowing what Urls are “clickable” and what are available for impressions only, how long to pause between clicks, etc. The data is neatly xml formatted:

<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3008″ clickable=”252″>…<feed><![CDATA[http://ad.r----m]]></feed>…<ref><![CDATA[]]></ref>..</tag>…<tag type=”iframe” weight=”23″ search=”100″ clicks=”1″ id=”3007″ clickable=”328″>…<feed><![CDATA[]]></feed>…<ref><![CDATA[]]></ref>..</tag>…<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3005″ clickable=”280″>…<feed><![CDATA[]]></feed>…<ref><![CDATA[]]></ref>..</tag>…<tag type=”iframe” weight=”21″ search=”100″ clicks=”1″ id=”3006″ clickable=”227″>…<feed><
![CDATA[]]></feed>…<ref><![CDATA[]]></ref>..</tag>…<tag type=”iframe” weight=”25″ search=”30″ clicks=”1″ id=”3045″ clickable=”471″>

After extracting the urls to click, it then hits the web sites described earlier pasted over with oddball videos and images, hosting banner ads. An example from the many over the past few months is tu—aster. com:



After retrieving images and ads from this second site, request sequences often look like this one, which we’ve altered both for brevity’s sake and for privacy concerns, but allowed enough data to be recognized by fellow researchers:

hxxp://–vo. com/st?ad_type=iframe&ad_size=728×90&section=758786
     hxxp://–vo. com/st?ad_size=728×90&ad_type=iframe&fil=gw&section=758786
     hxxp://–vo. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
     hxxp://ad.yie—-nager. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
     hxxp://–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,–×90&ad_type=iframe&fil=gw&section=758786
     hxxp://–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,–×90&ad_type=iframe&fil=gw&section=758786
     hxxp://ad.yie—-nager. com/iframe3?juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,–×90&ad_type=iframe&fil=gw&section=758786
     hxxp://–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
     hxxp://–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;cfp=1;rndc=126635781;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
     hxxp://pagead2.g—-esyndication. com/pagead/show_ads.js
     hxxp://g—-eads.g.—–eclick. net/pagead/test_domain.js
     hxxp://pagead2.g—-esyndication. com/pagead/render_ads.js
     hxxp://g—-eads.g.—–eclick. net/pagead/ads?client=ca-pub-8175825562880389&output=html&h=90&slotname=8878168224&w=728&ea=0&flash=–×90%26ad_type%3Diframe%26––×90%26ad_type%3Diframe%26fil%3Dgw%26section%3D758786&fu=0&ifi=1&dtd=218
     hxxp://g—-eads.g.—–eclick. net/pagead/imgad?id=CMSty_OwpaPOXxDYBRhPMggZu9r8MIRZeQ 

Also hit are any one of long lists of domains that at the time of writing are “parked”, or “squatted” domains:

 hxxp://collect—-ofcoloniesofbees. com/
hxxp://tra—-splay. com/movies.php
hxxp://aliv—-son. com/
hxxp://allcandlem—-g. com/
hxxp://ano—-look. net/
hxxp://—-l. com/
hxxp://—-l. net/
hxxp://apartm—-areus. com/
hxxp://apart—-toshare. com/
hxxp://abso—-look. com/
hxxp://a—-ake. com/
hxxp://ariz—-ades. com/
hxxp://a—-. com/
hxxp://ar—-. com/
hxxp://a—-. com/
hxxp://a—-look. org/

ThreatFire effectively protects against the deliver vector in the first place. It first targets the evasive downloader, poorly detected by AV engines, so Zbot, FakeAv, and these click fraud components never reach the system and the clickbot never runs.

A Zbot Botnet Dubbed The “Kneber” Botnet

Thursday, February 18th, 2010

Zeus is an extremely effective bot builder kit designed and developed to be sold in underground markets as a cybercrime kit, enabling buyers to easily build identity theft related spyware that evades many security solutions. The writers have been known to do custom work as well, all for a price.

The bots produced by the kit were in turn called ”Ntos” and ”Zbot” by major software security vendors. We’ve kept on top of its activity over the past couple of years, describing its distribution as a part of other attacks, drive by attacks, and spam blasts. The ThreatExpert blog maintains posts here and here. ThreatFire is one of the most effective, if not the most effective, products on the market at detecting and preventing the Zbot variants on user systems. It detects them clearly as “Spyware.Zbot”. Because one gang of the bot distributors have been so determined and successful at distributing the malware to high-value targets over the past couple of years, an individual zbot botnet currently made up of a reported 74,000 zbot infected systems is being renamed as the “Kneber Botnet“, based on the username this Zbot variant uses.

We have posted a dozen times about Zbot over the past couple of years, including stats on Zbot-downloading Bredolab variants being run on user’s systems. Locations of the tens of thousands of systems on which users have run Zbot itself over only the past six months vary across globe, but here are a recent top ten from the ThreatFire community.


These Zbot hits are the malware that get through spam filters, mail AV scanners, etc, and Zbot actually was run on the user’s system and then prevented by ThreatFire. It’s also interesting to know that over 70% of ThreatFire users are running another security solution on their system (indicating that ThreatFire is first and only to detect and prevent in a startling number of incidents). ThreatFire protected all of our users that were tricked into running Zbot, and it’s a good thing. The vast majority of these variants were configured to steal banking credentials, in addition to other valuable user data.

Note – the Dns domains registered to “Hilary Kneber” from which the attacking web sites served the zbot spyware (which cleverly must helped in naming the botnet), maintained the Zbot executables as “bot.exe” from a couple of different directories. One would think that this filename may be a giveaway to security monitors. On victim systems where the malware was run, it seems that the file was downloaded and renamed to both “svchost.exe” and random names like “58e.tmp” so as to camoflage its purpose. It predictably then would attempt to copy itself to c:\windows\system32\sdra64.exe.