Quick Links: SpywareGuide Greynets Blog | SpywareGuide Product Database | SpywareGuide Company Database | SpywareGuide Categories
SpywareGuide powered by FaceTime Security Labs
Search SpywareGuide Greynets Database & Site
Security Email Alerts & Updates
Search the Blog
 
Recent Posts
Categories
Monthly Blog Archives
Links
Subscribe
Subscribe to this blog's feed
About the Blog
About SpywareGuide Greynets Blog
Link to Us
Link to SpywareGuide.com

« Twisted Pair at Network World Talk Pipeline Worm | Main | Mark Foley- Government IM and What Does It Mean? »

  • IE Used to Launch Instant Messaging and Questionable Clicks

Last month, a particular Instant Messaging attack was infecting users via Yahoo Instant Messenger and causing all kinds of problems. This month, we've discovered a variant that's linked to a sophisticated piece of possible clickfraud (depending on how you define it). We often hear about Botnets in relation to this kind of scam - indeed, a common tactic which we've seen a number of times is to hijack the infected drones' homepage and fill it full of clickable adverts that bring in a return for the Botnet owner. Here, we have an attacker going one step further and doing away with the complicated aspect of the Botnet altogether, substituting it for a more straightforward scheme involving the worm mentioned above as a launchpad. Effectively, we have a Botnet without bots, and the potential for financial fraud is in some ways more severe, because of the ease with which this particular attack spreads. First, let's take a look at the technical aspects of this attack...

IM Clicks: Starting Positions

Usually, an Instant Messaging attack follows a familiar pattern - user is sent link, user clicks link and allows file to run on their system. At this point, they become infected and send dangerous links to their contacts.

Here, we have something different - an Instant Messaging attack launched by a webpage forcibly dumping executable files into a PCs temporary files directory, via some nifty VisualBasic scripting. As soon as this occurs, the infected PC will start to fire out infection messages to everyone on their contact list. What's more, the infection links themselves are extremely dynamic - it's possible to see seven or eight different messages in as many minutes.

If the sheer velocity of messages isn't impressive enough, the hackers take advantage of the "status message" functionality in Yahoo Instant Messenger - so even if the infected computer doesn't immediately send a link to their contact, they might see a message next to their name saying "check out my blog" and think it's perfectly innocent to do so. Remember - in this attack, you simply need to visit the offending webpage to become infected. There is NO need to physically allow a download or run a file.

So, how does this happen?

First of all, you need to visit an infection site using Internet Explorer - this exploit doesn't work in Firefox, for example. Due to the way these files are downloaded onto the PC, you can effectively make any site a potential threat and can scatter these files around wherever you like. You don't even need to bother with any social engineering to convince people to run them - a definite plus from a hacker's point of view.

The infection sites appear to be completely blank pages - to the casual end-user, nothing would seem amiss. However, if they happen to have Yahoo Instant Messenger up and running, they will quickly find a combination of error messages and chatboxes flashing up on the screen. What they won't see, is one of the randomly selected infection messages sent to their contact.

Sample Infection Message: Click to View Image

Additionally, they might notice that they suddenly have a new status message next to their name. The status messages are dynamic, and change often - reflecting the (randomly selected) infection links sent to their contacts. Everything from winning the lottery to famous footballers is thrown into the mix.

Sample Status Message: Click to View Image

While the automated IM messages are directing other users to the infection site, this particular attack hijacks the Internet Explorer homepage of an infected user to a webpage stuffed with advertisements - that specifically target a certain medical condition geared towards maximising the financial gain of the hacker.

At this point, I'll let Wayne Porter, Senior Director Special Research take over...

Financial Scenario: Elephant Words Attract Malware

The KMeth Worm invokes a webpage with a number of Google Adsense ads targeting the term Mesothelioma.

Hijacked IE Homepage: Click to View Image

Mesothelioma is a rare form of cancer commonly caused by prolonged exposure to asbestos and litigation later followed. The financial spends on these keywords are high, thus making this an "elephant word" or word with a high payout- a prime target for malware writers to exploit. Bids can range from $4.00 to $13.00 Per Click

What is Mesothelioma?
A rare form of cancer (about 1 in 1,000,000) that is almost always caused by previous exposure to asbestos. In this disease, malignant cells develop in the protective lining that covers most of the body's internal organs. Its most common site is the outer lining of the lungs and chest cavity, but it may also occur in the lining of the abdomen or the pericardium- a protective sac which surrounds the heart.

It is believed that most people who develop mesothelioma have worked on jobs where they inhaled asbestos particles, or have been exposed to asbestos dust and fibers in other ways, such as by washing the clothes of a family member who worked with asbestos, or by home renovation using asbestos cement products. There is no known association between mesothelioma and smoking.

Because of the asbestos link and that mesothelioma is usually an aggressive and deadly disease care is palliative (making the patient comfortable until death). Most of the cases are from exposure twenty to fifty years ago.

Litigation and the Bid Driven Economy

Because of the deadly nature of the disease it stands to reason that much litigation followed.

Companies liquidated holdings and produced asbestos substitutes, and started asbestos removal businesses. The pivotal decision was in June 1982, a retired boiler-maker, James Cavett, won a record award of $2.3 million compensatory and $1.5 million in punitive damages case.

As history illustrates the litigation around this type of cancer can net high returns for lawyers and those seeking damages- however these cases are rare. Thus the cost-per-click (CPC) can range quite a bit on bidding networks seeking these large litigation rewards. The bids may range from $4.00 to $13.00 per click and higher. This makes it a prime target for malware authors and worm writers who setup systems to either force or set-up a system to maximize clicks to these high paying keywords in order to gain their fee split.

It should be noted the Kmeth's target page seems to follow the Google Terms of Service in terms of number of ads allowed, etc. This tactic seems to be based on not arousing suspicion. The fraud is not perpetuated on the click, but on the mechanism of delivery- a worm. Addendum: Thus while click fraud could be debated, e.g. Google might call it an "invalid click" this is certainly "syndication fraud".

We can also observe the comment notation in the ad format: //2006-09-26: Mesothelioma

The notation leads us to believe the page has been created almost a week in advance of the KMeth Worm being unleashed.

Why Traffic Cleaner in Target Page?

The author goes a step further and displays some level of sophistication in the scenario by realizing that a fast propagating worm will not be country sensitive and thus bring traffic that will likely trigger fraud filters. This is worked around by using the TrafficCleaner service, a simple IP filtering service called through an IFrame.

When a visitor enters the website, the IFrame is loaded together. The IP address will be checked according to the person's "Filter settings". If the visitor is "allowed", nothing will be happen and the visitor can browse the intended site as normal- in this case a page with some information to trigger the high paying keywords and advertisements and search boxes all designed to have the user click-thru.

If, instead, the visitor is from a "Banned" country, he/she will be "filtered out" from the page and will be forwarded to the alternative URL the user has set in the "Filter settings". In either case a cookie will be placed on the visitors' computer, so no further checking will be necessary for that visitor if he returns or visits other pages in which the user also pasted the code, of course, until the cookie is deleted or has expired.

While this service has legitimate uses, for example a company who can only ship to the United States or does not wish to ship to certain countries, in this case the code is used to block certain visitors. The code is more than likely used to filter out traffic from known high fraud regions so the KMeth's worm delivery mechanism does not raise suspicion. By looking at the IP address of visitors it is possible to determine the country of origin and keep the "footprint" low.

The User Id of the traffic cleaner user is 893. TrafficCleaner, which does not appear to be involved, but merely a free service, is owned and operated by:

Blue Star Ltd.
Regensbergstr. 12.
CH-8157 Dielsdorf
Switzerland

MP3Pimping .com Connection

The KMeth Worm attempts to "launder" or deliver the traffic with pages showing ads through this Google publisher ID: pub-2609604811345695. We have linked this publisher ID with a site called www.mp3pimping.com. One cannot be 100% certain this is the party responsible as it could be a retaliatory attack.


Owned By:
Registrant:
Wiebe Weikamp
Eemnesserweg 58
Hilversum, New Hampshire 1221 CZ
Netherlands

Registered through: Mad Dog Domains and Cattle Company
Domain Name: MP3PIMPING.COM
Created on: 31-Dec-05
Expires on: 01-Jan-08
Last Updated on: 31-Dec-05

Administrative Contact:
Weikamp, Wiebe
Eemnesserweg 58
Hilversum, New Hampshire 1221 CZ
Netherlands
(062) 040-2685

Technical Contact:
Weikamp, Wiebe
Eemnesserweg 58
Hilversum, New Hampshire 1221 CZ
Netherlands
(062) 040-2685

Domain servers in listed order:
DNS1.MP3PIMPING.COM
DNS2.MP3PIMPING.COM

However, given some of the domains listed on the same box, or same "neighborhood", many with false registration credentials, dubious content, etc. It does raise certain red flags.

For a text list of of the domain list that reside on this machine Download text file here.

Example HTML snippet from target (index) page below:


script type="text/javascript">
--google_ad_client = "pub-2609604811345695";
google_ad_width = 728;
google_ad_height = 90;
google_ad_format = "728x90_as";
google_ad_type = "text_image";
//2006-09-24: Mesothelioma
google_ad_channel ="4060884470";
//--> /script
script = text/javascript">
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">

The party also codes the page to ensure that if the user hits or uses the [back] button they receive a 404 or, page not found. Overall the quality and value of this advertising chain is little to none given the user's interest is stimulated artificially via the propagation of the worm. WIth KMeth Google's Syndication serves up ads for low-value pages that are built around a keyword theme which can lead to further degradation of advertising returns as in the case of using the Yahoo! Publishers Network where ads are syndicated from Adsense to YPN!- commonly called "bidding arbitrage".

CLICK STREAM SAMPLE SCENARIO

Antiry45 Sends Traffic via Google Syndication:


http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-2609604811345695&dt=
1159795672999&lmt=1159602852&prev_fmts=728x90_as&
format=728x90_as&output=html&channel=4060884470&pv_ch=4060884470%2B
&url=http%3A%2F%2Fantiry45.googlepages.com%2Findex.html&ad_type=text_image&cc=100
&u_h=768&u_w=1024&u_ah=740&u_aw=1024&u_cd=32&u_tz=-240&u_his=2&u_java=true&
u_nplug=7&u_nmime=16


Returns this page: ThinkTarget.com uses supplemental results via Yahoo's Publisher Network.



GET /pagead/adclick?sa=L&ai=BcUzB0BMhRd2oF5S2yQLCl_CwCrmj2BrF9K-JA8CNtwHA_BUQAxgHIOPp
4wYoBECKFkisOVDlhvfQ-f____8BmAGI1s0QoAG1tOL9A6oBCjQwNjA4ODQ0NzCyARhhbnRpcnk0NS5nb
29nbGVwYWdlcy5jb226AQk3Mjh4OTBfYXPIAQHaASBodHRwOi8vYW50aXJ5NDUuZ29vZ2xlcGFnZXMuY
29tL-ABApUCC1RSCg&num=7&adurl=http://search.thinktarget.com/portal/thinktarget/search.php%3Fp2%
3Dadmanager_3click_search,568448%26q%3Dmalignant%2Bpleural%2B
mesothelioma&client=ca-pub-2609604811345695&nm=9 HTTP/1.1

http://search.thinktarget.com/portal/thinktarget/search.php?p2=admanager_3click_search,568448&q
=malignant+pleural+mesothelioma

Notation: thinktarget.com resides at 69.8.177.5

6 Results for 69.8.177.5 (Thinktarget.com) also reside on this machine.
1. adverpages.com
2. funnieststuff.net
3. rxwebsearch.com
4. tamnetwork.com
5. targetedpages.com
6. thinktarget.com

Chris Boyd: In Conclusion...

Typically, financially-driven malware tactics use botnets to fraudulently increase traffic to specific online advertisements. In this case, the hackers have very cleverly borrowed tactics from botnet-creators to create a bot-less network of hijacked PC users to drive traffic to sites populated with these specific Google AdSense advertisements.

Introducing the human factor into the scenario makes these 'bot-less nets' much more difficult to detect - even sophisticated auto-clickers can usually be detected over time, but the creator(s) of this infection is banking on human unpredictability to see them through. After all, unlike the Botnet clicker drones, there is no guarantee a real-life human will actually click one of those adverts - it's a risk taken on the part of the creator, but all things considered, a rather small one...

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Technical Research: Peter Jayaraj, Manoj V Nair, FSL Threat Researcher
E-commerce Evaluation and Write-Up: Wayne Porter, Senior Director Special Research

  • TrackBack

Listed below are links to weblogs that reference IE Used to Launch Instant Messaging and Questionable Clicks:

» Daily SearchCast, October 4, 2006: Put Google Gadgets Anywhere; Google's Schmidt Warns Politicos About Web Lie Detector; Yahoo's Mobile Ads; Make Your Own Googlesque Logo & More! from Daily SearchCast - Search Engine News Via Podcast
Google Gadgets are now available for your web site, along with a search box requiring no clickthrough; Google's Eric Schmidt warns politicians about the internet as lie detector; could the new Google Literacy Project be doing more that pushing Google ... [Read More]


  • Comments

I will continue to visit enjoyed the reading thanks


Would most people click on an ad for a disease they had never heard of? Especially if the ad had hijacked their homepages?


If nobody clicked them, I can guarantee you that nobody would bother creating exploits like this.


yea people will definitely click on them because they think its their friend on yahoo messenger sending them the link, not just some website out there. aslong as they click they get the cash so it doesnt matter. really good read thx


Great article!
This is rare to find an article that goes so deep at explaining the different steps of the fraud.
Thanks.


Check out this page (h ttp://myspeex.com/?aka48a) - I think that all asbestos AdSense premium rates are wrong. Maybe sometime ago that was true but now this is just a myth. Asbestos-related clicks don't pay well at all.


Hi,

I posted this article on www.yahoofanclub.com But I think we can easily report the Pub no of the Google ads. The only think they are going to gain is page impressions. I havnt been infection yet. lolz


do you have any idea how to cure this all? it's been bugging me... :(


Google now has a Cost Per Action model in beta as hakers are now driven by money instead of fame. It will be interesting to see what happens


Site EULA | Site Map | Contact Us | About Us | Site and Spyware FAQ | Advertise | RSS Feeds  | Link To Us | SpywareGuide JapanJapanese

© Copyright 2006, FaceTime Communications, Inc. All rights reserved.