Click fraud is a lot like shoplifting. It’s not the most shocking crime you know of, and it’s not really victimless. It is theft. But observing and identifying click fraud is more difficult than watching a kid slip an unpaid-for candy bar or magazine into their pocket. It’s also a cost of business that burdens all customers of a business. Ugly.
There are a lot of technical details to understand about click fraud, and even more that go into evading click fraud sensors. A previous post details how one group camouflages their bot generated queries from fraud monitoring systems by stealing search terms from live humans on infected systems and then re-uses them.
This post will set out to describe another set of click fraud components and activity used by a financially motivated group distributing Zbot and FakeAv in addition to the click fraud components. The group expends considerable effort to distribute their crimeware packages and consistently use blackhat Seo tactics and crack sites. They implement polymorphic malware executables to evade AV scanners on victims’ desktops and anti-reversing and encryption technology to foil analysis. Their click fraud, most likely generating lower revenues than their Zbot and FakeAv activity, probably is more stable and helps keep their money mules, web operators and developers paid, and potentially keeps potential domain squatting sites paid for. They appear to act as a well run money making organization. We also know that the click fraud components are delivered alongside “Alureon/TDSS/Tidserv” drivers, so they are not the only ones spreading the stuff.
A couple of ad-network affiliate related terms and concepts to understand: CPM (cost-per-impression) and CPC (cost-per-click). They are what drive advertising and payouts for ads on the web pages you view. For example, when you browse an online radio web site and it displays an ad for online movie rentals, it’s most likely not because the radio station has a contract with the online movie rental store to display its ads. Instead, they make a deal with an “online media company” with an affiliate program to display whatever ads they provide to them to display. When 1,000 users see the ads on the radio site’s web pages, the ad network pays out a small sum of cash to the operator of the website. The more impressions or views, the higher the payout. Technical details relevant to click fraud of syndiation, sub-syndication and referral deals in Neil Daswani, et al Clickbot.A paper here.
Knowing this simple setup leads to payouts, these cheats looking for easy cash attempt to set up phony web sites hosting ad banners, then infect large numbers of systems with click fraud components (alongside the Zbot spyware and FakeAv), and visit various pages and ads from these infected systems repeatedly. In our lab, these click bots hit banner ads at random rates. Sometimes, they would hit four per minute, wait a couple of hours, and then move on to other sites, where odd videos and pictures are haphazardly posted alongside ad banners. Usually, they would start at a site hosting a slew of bizarre videos, like this one.
The advertised images included ads from tire and tune shops, some restaurants, RV and trailer exchange sites, ringtone sellers, an ad council, singles sites, and many more. Let’s take a look at the components and the network traffic. The main executable performing the click fraud activity most often goes by the file name “msa.exe”, although the file name for the malware is fairly arbitrary over time, and weigh in at approx 100-200 kb. As mentioned above, distributors get the executable onto target systems via blackhat Seo tactics, P2P sharing and crack sites.
Once running, the msa.exe code connects back to one of several sites that have changed over the past several months to exchange initial request information. For example, the malware POSTs data collected from the system to a hard-coded web server address; in January and February, several of the servers’ online locations were fgage. com, tooldawn. com, bestalias. com, iepil. com, and theastic. com. The physical location of the servers themselves seems to move, sometimes in Canada or the US, between major hosting sites. The encoded response to the msa.exe POST is received by msa.exe and copied to a .dat file. This response is decoded by the bot and the Urls to “click” are extracted. It is this list that the bot uses to fetch commands, sites and ads, knowing what Urls are “clickable” and what are available for impressions only, how long to pause between clicks, etc. The data is neatly xml formatted:
<root>…..<pause>15</pause>..<clickable>250</clickable>..<visible>100</visible>..<searchlimit>3600</searchlimit>..<time>126593</time>…
<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3008″ clickable=”252″>…<feed><![CDATA[http://ad.r----m
edia.com/st?ad_type=iframe&ad_size=468x60§ion=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”23″ search=”100″ clicks=”1″ id=”3007″ clickable=”328″>…<feed><![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=300x250§ion=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”26″ search=”100″ clicks=”1″ id=”3005″ clickable=”280″>…<feed><![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=120x600§ion=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”21″ search=”100″ clicks=”1″ id=”3006″ clickable=”227″>…<feed><
![CDATA[http://ad.r----media.com/st?ad_type=iframe&ad_size=160x600§ion=773245]]></feed>…<ref><![CDATA[http://ad.r----media.com]]></ref>..</tag>…<tag type=”iframe” weight=”25″ search=”30″ clicks=”1″ id=”3045″ clickable=”471″>
After extracting the urls to click, it then hits the web sites described earlier pasted over with oddball videos and images, hosting banner ads. An example from the many over the past few months is tu—aster. com:
After retrieving images and ads from this second site, request sequences often look like this one, which we’ve altered both for brevity’s sake and for privacy concerns, but allowed enough data to be recognized by fellow researchers:
hxxp://ad1.ad–vo. com/st?ad_type=iframe&ad_size=728×90§ion=758786
hxxp://ad2.ad–vo. com/st?ad_size=728×90&ad_type=iframe&fil=gw§ion=758786
hxxp://ad2.ad–vo. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
hxxp://ad.yie—-nager. com/imp?Z=728×90&fil=gw&s=758786&_salt=3275045331&B=10&u=&r=1
hxxp://ad1.ad–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.ad–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw§ion=758786
hxxp://ad2.ad–vo. com/iframe3?ABEu.0juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.as–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw§ion=758786
hxxp://ad.yie—-nager. com/iframe3?juvrDBw5kMNESk6cFFFkoK0KOz59B3iLAAAAAAA==,,http://ad2.ad–vo.com/st?ad_size=728×90&ad_type=iframe&fil=gw§ion=758786
hxxp://adserver.ad–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
hxxp://adserver.ad–chus. com/addyn/3.0/5224/951864/0/225/ADTECH;cfp=1;rndc=126635781;loc=100;target=_blank;key=key1+key2+key3+key4;grp=[group];misc=1266357818864
hxxp://pagead2.g—-esyndication. com/pagead/show_ads.js
hxxp://g—-eads.g.—–eclick. net/pagead/test_domain.js
hxxp://pagead2.g—-esyndication. com/pagead/render_ads.js
hxxp://g—-eads.g.—–eclick. net/pagead/ads?client=ca-pub-8175825562880389&output=html&h=90&slotname=8878168224&w=728&ea=0&flash=6.0.79.0&url=http%3A%2F%2Fad2.ad–vo.com%2Fst%3Fad_size%3D728×90%26ad_type%3Diframe%26–ler.com%2Fiframe3%0juvrDBw5kMNESk6cFF%3D%3D%2C%2Chttp%3A%2F%2Fad2.ad–vo.com%2Fst%3Fad_size%3D728×90%26ad_type%3Diframe%26fil%3Dgw%26section%3D758786&fu=0&ifi=1&dtd=218
hxxp://g—-eads.g.—–eclick. net/pagead/imgad?id=CMSty_OwpaPOXxDYBRhPMggZu9r8MIRZeQ
Also hit are any one of long lists of domains that at the time of writing are “parked”, or “squatted” domains:
hxxp://collect—-ofcoloniesofbees. com/
hxxp://tra—-splay. com/movies.php
hxxp://aliv—-son. com/
hxxp://allcandlem—-g. com/
hxxp://ano—-look. net/
hxxp://—-l. com/
hxxp://—-l. net/
hxxp://apartm—-areus. com/
hxxp://apart—-toshare. com/
hxxp://abso—-look. com/
hxxp://a—-ake. com/
hxxp://ariz—-ades. com/
hxxp://a—-. com/
hxxp://ar—-. com/
hxxp://a—-. com/
hxxp://a—-look. org/
ThreatFire effectively protects against the deliver vector in the first place. It first targets the evasive downloader, poorly detected by AV engines, so Zbot, FakeAv, and these click fraud components never reach the system and the clickbot never runs.
