- IE Used to Launch Instant Messaging and Questionable Clicks
Last month, a particular Instant Messaging attack was infecting users via Yahoo Instant Messenger and causing all kinds of problems. This month, we've discovered a variant that's linked to a sophisticated piece of possible clickfraud (depending on how you define it). We often hear about Botnets in relation to this kind of scam - indeed, a common tactic which we've seen a number of times is to hijack the infected drones' homepage and fill it full of clickable adverts that bring in a return for the Botnet owner. Here, we have an attacker going one step further and doing away with the complicated aspect of the Botnet altogether, substituting it for a more straightforward scheme involving the worm mentioned above as a launchpad. Effectively, we have a Botnet without bots, and the potential for financial fraud is in some ways more severe, because of the ease with which this particular attack spreads. First, let's take a look at the technical aspects of this attack...
IM Clicks: Starting Positions
Usually, an Instant Messaging attack follows a familiar pattern - user is sent link, user clicks link and allows file to run on their system. At this point, they become infected and send dangerous links to their contacts.
Here, we have something different - an Instant Messaging attack launched by a webpage forcibly dumping executable files into a PCs temporary files directory, via some nifty VisualBasic scripting. As soon as this occurs, the infected PC will start to fire out infection messages to everyone on their contact list. What's more, the infection links themselves are extremely dynamic - it's possible to see seven or eight different messages in as many minutes.
If the sheer velocity of messages isn't impressive enough, the hackers take advantage of the "status message" functionality in Yahoo Instant Messenger - so even if the infected computer doesn't immediately send a link to their contact, they might see a message next to their name saying "check out my blog" and think it's perfectly innocent to do so. Remember - in this attack, you simply need to visit the offending webpage to become infected. There is NO need to physically allow a download or run a file.
So, how does this happen?
First of all, you need to visit an infection site using Internet Explorer - this exploit doesn't work in Firefox, for example. Due to the way these files are downloaded onto the PC, you can effectively make any site a potential threat and can scatter these files around wherever you like. You don't even need to bother with any social engineering to convince people to run them - a definite plus from a hacker's point of view.
The infection sites appear to be completely blank pages - to the casual end-user, nothing would seem amiss. However, if they happen to have Yahoo Instant Messenger up and running, they will quickly find a combination of error messages and chatboxes flashing up on the screen. What they won't see, is one of the randomly selected infection messages sent to their contact.
Additionally, they might notice that they suddenly have a new status message next to their name. The status messages are dynamic, and change often - reflecting the (randomly selected) infection links sent to their contacts. Everything from winning the lottery to famous footballers is thrown into the mix.
While the automated IM messages are directing other users to the infection site, this particular attack hijacks the Internet Explorer homepage of an infected user to a webpage stuffed with advertisements - that specifically target a certain medical condition geared towards maximising the financial gain of the hacker.
At this point, I'll let Wayne Porter, Senior Director Special Research take over...
Financial Scenario: Elephant Words Attract Malware
The KMeth Worm invokes a webpage with a number of Google Adsense ads targeting the term Mesothelioma.
Mesothelioma is a rare form of cancer commonly caused by prolonged exposure to asbestos and litigation later followed. The financial spends on these keywords are high, thus making this an "elephant word" or word with a high payout- a prime target for malware writers to exploit. Bids can range from $4.00 to $13.00 Per Click
What is Mesothelioma?
A rare form of cancer (about 1 in 1,000,000) that is almost always caused by previous exposure to asbestos. In this disease, malignant cells develop in the protective lining that covers most of the body's internal organs. Its most common site is the outer lining of the lungs and chest cavity, but it may also occur in the lining of the abdomen or the pericardium- a protective sac which surrounds the heart.
It is believed that most people who develop mesothelioma have worked on jobs where they inhaled asbestos particles, or have been exposed to asbestos dust and fibers in other ways, such as by washing the clothes of a family member who worked with asbestos, or by home renovation using asbestos cement products. There is no known association between mesothelioma and smoking.
Because of the asbestos link and that mesothelioma is usually an aggressive and deadly disease care is palliative (making the patient comfortable until death). Most of the cases are from exposure twenty to fifty years ago.
Litigation and the Bid Driven Economy
Because of the deadly nature of the disease it stands to reason that much litigation followed.
Companies liquidated holdings and produced asbestos substitutes, and started asbestos removal businesses. The pivotal decision was in June 1982, a retired boiler-maker, James Cavett, won a record award of $2.3 million compensatory and $1.5 million in punitive damages case.
As history illustrates the litigation around this type of cancer can net high returns for lawyers and those seeking damages- however these cases are rare. Thus the cost-per-click (CPC) can range quite a bit on bidding networks seeking these large litigation rewards. The bids may range from $4.00 to $13.00 per click and higher. This makes it a prime target for malware authors and worm writers who setup systems to either force or set-up a system to maximize clicks to these high paying keywords in order to gain their fee split.
It should be noted the Kmeth's target page seems to follow the Google Terms of Service in terms of number of ads allowed, etc. This tactic seems to be based on not arousing suspicion. The fraud is not perpetuated on the click, but on the mechanism of delivery- a worm. Addendum: Thus while click fraud could be debated, e.g. Google might call it an "invalid click" this is certainly "syndication fraud".
We can also observe the comment notation in the ad format: //2006-09-26: Mesothelioma
The notation leads us to believe the page has been created almost a week in advance of the KMeth Worm being unleashed.
Why Traffic Cleaner in Target Page?
The author goes a step further and displays some level of sophistication in the scenario by realizing that a fast propagating worm will not be country sensitive and thus bring traffic that will likely trigger fraud filters. This is worked around by using the TrafficCleaner service, a simple IP filtering service called through an IFrame.
When a visitor enters the website, the IFrame is loaded together. The IP address will be checked according to the person's "Filter settings". If the visitor is "allowed", nothing will be happen and the visitor can browse the intended site as normal- in this case a page with some information to trigger the high paying keywords and advertisements and search boxes all designed to have the user click-thru.
If, instead, the visitor is from a "Banned" country, he/she will be "filtered out" from the page and will be forwarded to the alternative URL the user has set in the "Filter settings". In either case a cookie will be placed on the visitors' computer, so no further checking will be necessary for that visitor if he returns or visits other pages in which the user also pasted the code, of course, until the cookie is deleted or has expired.
While this service has legitimate uses, for example a company who can only ship to the United States or does not wish to ship to certain countries, in this case the code is used to block certain visitors. The code is more than likely used to filter out traffic from known high fraud regions so the KMeth's worm delivery mechanism does not raise suspicion. By looking at the IP address of visitors it is possible to determine the country of origin and keep the "footprint" low.
The User Id of the traffic cleaner user is 893. TrafficCleaner, which does not appear to be involved, but merely a free service, is owned and operated by:
Blue Star Ltd.
MP3Pimping .com Connection
The KMeth Worm attempts to "launder" or deliver the traffic with pages showing ads through this Google publisher ID: pub-2609604811345695. We have linked this publisher ID with a site called www.mp3pimping.com. One cannot be 100% certain this is the party responsible as it could be a retaliatory attack.
Hilversum, New Hampshire 1221 CZ
Registered through: Mad Dog Domains and Cattle Company
Domain Name: MP3PIMPING.COM
Created on: 31-Dec-05
Expires on: 01-Jan-08
Last Updated on: 31-Dec-05
Hilversum, New Hampshire 1221 CZ
Hilversum, New Hampshire 1221 CZ
Domain servers in listed order:
However, given some of the domains listed on the same box, or same "neighborhood", many with false registration credentials, dubious content, etc. It does raise certain red flags.
For a text list of of the domain list that reside on this machine Download text file here.
Example HTML snippet from target (index) page below:
--google_ad_client = "pub-2609604811345695";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
The party also codes the page to ensure that if the user hits or uses the [back] button they receive a 404 or, page not found. Overall the quality and value of this advertising chain is little to none given the user's interest is stimulated artificially via the propagation of the worm. WIth KMeth Google's Syndication serves up ads for low-value pages that are built around a keyword theme which can lead to further degradation of advertising returns as in the case of using the Yahoo! Publishers Network where ads are syndicated from Adsense to YPN!- commonly called "bidding arbitrage".
CLICK STREAM SAMPLE SCENARIO
Antiry45 Sends Traffic via Google Syndication:
Returns this page: ThinkTarget.com uses supplemental results via Yahoo's Publisher Network.
Notation: thinktarget.com resides at 184.108.40.206
6 Results for 220.127.116.11 (Thinktarget.com) also reside on this machine.
Chris Boyd: In Conclusion...
Typically, financially-driven malware tactics use botnets to fraudulently increase traffic to specific online advertisements. In this case, the hackers have very cleverly borrowed tactics from botnet-creators to create a bot-less network of hijacked PC users to drive traffic to sites populated with these specific Google AdSense advertisements.
Introducing the human factor into the scenario makes these 'bot-less nets' much more difficult to detect - even sophisticated auto-clickers can usually be detected over time, but the creator(s) of this infection is banking on human unpredictability to see them through. After all, unlike the Botnet clicker drones, there is no guarantee a real-life human will actually click one of those adverts - it's a risk taken on the part of the creator, but all things considered, a rather small one...
Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, Manoj V Nair, FSL Threat Researcher
E-commerce Evaluation and Write-Up: Wayne Porter, Senior Director Special Research