Results matching “Ad Behavior” from SpywareGuide Greynets Blog

The discovery of the Bubbles worm has led to the discovery of more and more variants across the internet. While all have essentially the same methods of infection, not all simply block security programs. FSL has come across a variant of the Bubbles worm that is designed to steal any and all sensitive information from the victim's computer through the most devious method of all...keylogging!

It starts with an executable downloaded from a questionable website. This executable copies itself into the system32 directory of the victim PC, and these 4 files are copies of the main executable:

Click to Enlarge

That's not all this worm does. It also looks for the game Runescape on the infected PC. Here's a screenshot taken from the main executable, pdo.exe:

Click to Enlarge

For those not aware, Runescape is a MMO game whose target demographic is children, young teens, and teenagers in general. This worm is looking for not only "runescape", but a "RS PIN:" as well. Could this mean payment details? Or (more likely), could they be referring to the victim's PIN to their game bank? Whether its to simply loot your gold, or sell the PIN on illegal forums is unknown. That's not even the scariest part of this infection. It also logs everything the victim does on the infected PC, storing all logged information to a file in the system32 directory called syswinf32.dll.

Click to Enlarge

Syswinf32.dll stores extremely sensitive information monitored from the infected PC.

The above picture is just a sample of what was found in the .dll file. It shows applications that have run, any action taken within the application, any text typed, and any websites visited. Now that it's effectively stealing every piece of information on the victim PC, it's time for the worm to spread to every Skype contact.

Click to Enlarge

Now this worm starts looking familiar. This is the exact same behavior we observed in the original Bubbles worm. When you put it all together what do you get? You get a worm/keylogger that spreads through skype contacts and targets the teenagers that play Runescape. Combine that with the big juicy MAILTO: in the main executable file and you have yourself a wonderful recipe for potential identity theft.

Research Summary Write-Up: Chris Mannon, Senior Threat Researcher
Additional Research: Deepak Setty, Senior Threat Researcher

The Net has a long history of hoaxes and many of the "best" seem to involve dire warnings of virus attacks that simply don't exist. Whether you're being asked to delete teddy bears or avoiding the gaze of the all seeing eye, there's a rich history out there that bad guys could have some fun with. Well, sure enough, some hackers seemingly decided to create a kind of potted history of online web hoaxes, and tie it into an actual infection. There's an MSN network instant messenging infection currently on the prowl that has a little fun at the good guy's expense, and toys with the notion of making a Net urban legend come to life. How is this done? Well, it's fairly subtle and not everyone would appreciate the rather warped humour. Assuming someone on your contact list has been infected, you'll see a message similar to the below appear on your screen:

Click to Enlarge

Click the link, and you're taken to the below website:

Click to Enlarge

Download and run the file on offer and (as you might expect) a bunch of nasty files are deposited onto your computer. Most of the files seem to be related to a certain strain of banking trojan particularly popular in Brazil - in fact, they're not too different from the files used in the Orkut Worm we discovered. Okay, I hear you cry - it attempts to steal confidential data. Show us something new, already.

Well, here we go.

You run an infection file, and generally one of two things happens:

1) Lots of notable stuff splatters across your desktop in the form of toolbars, popups and strange flashing banners.

2) An absence of anything notable happens on your desktop, which is probably an even worse scenario.

Here, however, you see....this:

Click to Enlarge

...confused yet?

Allow me to explain. Rewind back to the infection site - it speaks of a "virtual card for you". Examine the URL the strange heart-picture comes from - Quatrocantos, a well known site dedicated to exposing online web hoaxes. That's right - the bad guys pop open an image from the good guys' hoax-hunting website (using up their bandwidth in the process), where the image refers to a "fake" virtual card hoax...and tying it into a real virtual card exploit.

As a final twist, the Quatrocantos website has a featured article on one other virtual card hoax, which stretches back to the year 2000. The title of that hoax?

A virtual card for you.

I asked Wayne Porter, Senior Director of Special Research (a new division I can't comment on) for his opinions given his background studying memetic engineering. "This is a cultural camouflage approach which we call "hoax cloaking". It is a defensive construct that adopts the very lore, memes and culture of the Internet to serve as a self-preservation and cloaking mechanism, much like the advanced construction of a "media virus".

For example, a natural response from a user might be to Google "A Virtual Card For You" to see if the card is an exploit or safe. At the moment Google, a trusted search engine, returns results from respected and trusted security companies like Sophos, Symantec, Mcafee, Trend Micro, and F-Secure all warning this is a hoax and the rest of the sites are very well known and trusted hoax busting sites. The criminal taps into three layers of trust using a hoax which is pretty sophisticated behavior and pretty rarely seen. You can see some more information on the press release here.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
Technical Research: Chris Mannon, FSL Senior Threat Researcher
Supplemental Research: Wayne Porter, Senior Director Special Research

Quite often, you'll come across a website that's been hacked and admire the no doubt humorous picture, comical text and "advice" given to the site Admin as little more than a harmless prank and something to be filed away on a hacked site archive. Well, beware because many of those "hacked site" archives don't clean up the pages beforehand - you'll likely be hit with something nasty if the hacker decided to put something evil there. And wouldn't you know it if we have one such example for you coming up?

An individual under the alias of of SnIpEr_SA is currently making his way through as many domains as he can handle (currently up to 25+ in the last ten days, which isn't very prolific thankfully) and leaving a little "present" for anyone unlucky enough to view his pages while using IE:

It's not often you find an affiliate of WhenU doing something that could be viewed as out-and-out deceptive, so this is a very interesting find indeed. Especially considering they do not have affiliates, at least affiliates in the "traditional sense" according to our Sr. Director of Greynets Research- Wayne Porter, who specializes in online economic models. His answer upon a quick analysis of the initial research:

It is a given WhenU has made a number of improvements from their past practices, and that is critical for setting an example. However, we take history into account and also look at what we see today. You will note they proclaim quite clearly, "No affiliate distribution, because it's impossible to police." This is wise. WhenU understands unchecked partner models leads to dangerous relationship sprawl and in the end you tar and feather your own brand and hurt people.

What is strange is the next bullet point "All distribution partners are monitored and must adhere to our strict guidelines; zero tolerance for infractions. (Porter notes this link here.) I would have to ask, from a commerce perspective- how do they monitor them, how do they vet them, what metrics are used to determine inappropriate and appropriate behavior and what is the difference between affiliate and partner? This case seems to be confusing to the end user- is this acceptable? Is this the experience they demand of their partners?

In this case the distribution partner does not appear to be an affilate per the classic definition. I think it is a good question and would welcome dialogue from Bill Day on how they differentiate between an affiliate and a distribution partner. Clearly the program is being distributed via third parties and one would reasonably assume on cost-per-action or a split revenue basis, or a hybrid deal- that part remains unclear- but the revenue model drives behavior- we know that from field research. If Bill Day is willing to participate I am willing to prepare some questions for him if he would like to go on record about the policies and the reality of how they are put into action. The usual rules of engagement for dialogue of course."

Back to the case at hand...

During research my colleague Peter was probing for Myspace themed files in P2P land, and while using Bearshare, he came across a file called "Myspace". A movie file, no less. Would be it contain Emo kids singing in a garage? Thirty-somethings complaining because none of their friends use Myspace to network?

Nope. In fact, the answer is a little stranger than that. First of all, check out the nice popup you see when firing up the movie for the first time:

Click to Enlarge

...wait, DRM*? Isn't that what we kept hearing about during the Zango / Myspace fiasco? Could this mean some type of "software" is on the way? It sure could...

Click to Enlarge

At this point, I'm sure of two things:

1) The Adware involved in this case is WhenU
2) I have absolutely no idea what "ETE" is, nor why I would want it.

Still, the file is called "Myspace" and we all know Myspace is cool, right? So a Myspace moviefile is going to be even cooler. Isn't it?

Well, no.

This is where things get really confusing for the end-user, because so far they have:

* Gone onto a file sharing network and downloaded a movie file called "Myspace"
* Been presented with a DRM popup relating to WhenU Adware, and told this is needed to install "ETE" despite not being informed of what ETE actually is. Note the popup mentions the install is from a website, when it's clearly from P2P.

At this point, pressing the Continue button will prompt the end-user to download an executable file:

Click to Enlarge

Eventually (after a period of complete inactivity on the desktop), you see this:

Click to Enlarge

...and we finally discover what ETE is - some kind of free entertainment center. Great, except it doesn't even appear to be on the system. Maybe it's one of those new invisible models I've heard so much about? Perhaps they have Romulan cloaking technology or something.

Anyway - after giving up looking for the mystical "ETE", the confused end-user will run the moviefile. They're presented with....the adultfriendfinder website and, er, some dancing bacon. Seriously:

Click to Enlarge

Why? No idea. Anyone see what this has to do with Myspace yet?

Our motto at the FaceTime lab is to try not to leave any stone unturned, so I wasn't prepared to let this mystery go. After some digging, it turns out that ETE is not a standalone application - it's actually a website:

Click to Enlarge

This site lets you download applications from another site, called Binartisan.com. According to a Whois lookup, both sites are registered to someone in Taiwan. The download section of the Binartisan site contains many, many installers for games, screensavers and other programs:

Most of these are WhenU installers - it doesn't take a great leap of the imagination to realise that the affiliate, or partner (depending on nomenclature) here is likely the same person distributing these files in P2P land under the name "Myspace". Of course, naming them after the number one Social Networking site on the web (when the files themselves have absolutely nothing to do with Myspace) is altogether more problematic. Some might even call it deceptive.

I think I'll suggest Wayne add that to his question list.

*Notes on DRM: Any technology used to protect the interests of owners of content and services (such as copyright owners). Typically, authorized recipients or users must acquire a license in order to consume the protected material?files, music, movies?according to the rights or business rules set by the content owner.

Research Summary Write-Up: Chris Boyd, Director of Malware Research
File Discovery: Peter Jayaraj, FSL Threat Researcher
E-commerce Policy Research Evaluation: Wayne Porter, Senior Director Greynets Research.

The issue of Blogspot URLs being redirected and used for exploits has been noted before. In this particular case we follow the evolution of sophisticated mass spamming of Google's Blogspot service URLs, coupled with other search engine spam techniques and trace the cascade of events that follow.

Overview: The "Simple Scenario"

1) Party unknown figures out how to optimize Blogspot pages to achieve high rankings in MSN portal Search Engine Results Pages (SERPS) for popular terms known as keywords, in particular keywords around World Cup coverage.

2) This person uses Google's Blogspot hosting. It has been noted before that Blogspot hosting allows users to insert JavaScript into the head of the HTML page, creating a vulnerable environment.

3) Party unknown implements a complex server-side, auto-rotation system on a domain hosted elsewhere.

4) Party unknown accomplishes "cloaking" the Blogspot URLs, hiding the auto-rotation system. The pages rank high in many MSN search results for targeted keywords.

5) Users conducting queries on MSN or users who arrive on the tainted blogspot URLs are redirected to various pages. In this particular example some sites display explicit pornographic content in addition to offering software downloads with a documented history of security risk.

The World Cup

This investigation over distribution and deception was kicked off by one of the world's biggest sporting events- the World Cup. We all have our favorite teams, and at FaceTime we want people to be able to follow their favorite teams and sports safely! The goal of our research was to investigate a popular sporting event and probe the Internet for attacks, social engineering, or any other malicious or deceptive activity centered around this event.

Flow Chart Sample of Events

To better understand the event flow, click the thumbnail image below to enlarge. This will open to a new window.

Deceptive Mass Spamming Distribution

Basic search engine analysis shows the "party unknown" appears to be using automated techniques to spam guest books and other web pages in order create links to the domain. Because of the auto-rotatation system the domain's homepage changes frequently and apparently randomly. For example, it often defaults to Google's own portal for India.

Search System Pollution

As we will show, the techniques used to taint MSN search rankings are based on an understanding of the MSN search algorithm. However the primary deceptive tactics are carried out through obfuscated JavaScript injected into Google's Blogspot page headers. This is significant because this particular problem as been publicly noted before by researcher Ben Edelman.

WARNING TO USERS: DO NOT go searching for these sites unless you are a trained security researcher. There is a dynamic component to this operation which could lead to a hostile environment or unwanted content. In short- What you see is not what you may get..

Research: How Did This Happen?

While searching for the keyword ?World Cup 2006? in the MSN search Engine, our researcher clicked the first natural result, the result below the sponsored ads. This result appeared to be an innocent looking Blogspot URL as screenshot will demonstrate.

Note on Search Engine Results:

Search engines use their own systems to determine the relevancy of a page for a keyword entered in the Search Box. Based on the search engine's algorithms the pages will be ranked and appear in the results. These results are often called SERPS or Search Engine Result Pages.

In crude theory the first result should be more relevant to the keyword, and second result would be a somewhat less relevant page?etc. Numerous factors effect relevancy beyond the scope of this write-up. It is reasonable to expect people to believe they will find the most most relevant pages on the first pages of the results. For this reason, in this study, we have placed emphasis on studying the first results returned in the SERPS.

Click To Enlarge Screenshot

How Did this Page Get to the Top?

In simple terms by using "spam techniques." With JavaScript functions of a browser turned off the user would see a page like this:

Click To View Page with JavaScript Off

Redirection and Misdirection Over Time

Upon some of the first checks of these URLs our researcher noted redirects to the following
Russian web-site. By.ru is a common hosting company, and the "tkgroup" appears to be a student class blog.

Click to enlarge ScreenShot

At first glance it might seem this could be a student prank merely playing search engine tricks. However,
after several days the same result redirected our researcher to a different website which is now ?Adult DVD Download Network? IcooNet. The context and tone have now changed considerably. The tone is now commercial in intent but also pornographic. Users would have no way of knowing the site they were trying to reach would serve pornographic content if they relied on the title, text description and link displayed in the SERP.

Click to enlarge screenshot

In this example our research term used was for FIFA, so it would seem unreasonable to be offered an adult downloader. This is deceptive, and many users may find it offensive, especially since it is reasonable to expect young football fans would be searching for similar terms and will be guided by the domain name, title and description.

From a legal context this is significant: US CODE: Title 18,2252B. Misleading domain names on the Internet, from law.cornell.edu.

In a final example, the redirection goes to a website which features pornographic galleries offering a program that is cited as a variant of Zlob.Media-Codec. It may go under different names. A EULA is presented if the user wants to access the deceptively advertised pornography. We have not placed a screenshot here because the images are simply too offensive for our blog standards, but we have retained screen capture documentation and video of the site.

The different variants of these programs have to be downloaded in order to play any of the movies on the web-site.

Note this particular search query was conducted from one of our labs in India, so other users and countries will likely get different results. In addition search results change frequently. For purposes of documentation, we have included packet logs from query to destination as well as install of software.

Query Sample 1: Term FIFA+World+Cup+2006 .txt file

Query Sample 2: Term FIFA+World+Cup+2006 .txt file

We Just Wanted the World Cup

In the sample query illustrated by the packet logs above our researcher, searching for ?FIFA World Cup 2006?, finds a tainted Blogspot site and clicks-thru. The log documents the various redirects which end with the researcher arriving on a pornographic website where he was offered, and accepted, programs with well documented problematic behavior.

The initial MSN results showed 3 out of 10 results from Blogspot which display the obfuscated JavaScript and re-direction system. Users rely on search engines to deliver them high quality and relevant results. Since the domain names contain football (soccer to U.S. readers) related terms, titles and descriptions it is reasonable the user will feel confident to click-thru.

In a system such as this any number of attacks could be launched, and depending on the degree of sophistication of the attack or skill in social engineering- the results could be quite harmful. The screenshot below shows the tainted Blogspot URLs at MSN in the top ten results.

Click To Enlarge Image

Past History of Problems

It should be noted that while unable to document any exploit behavior with the software page of the pornographic content, it has a well documented history of problematic behavior from numerous third party sources. It is usually classified as a "trojan". Reference: Sunbelt on Zlob.Media-Codec. and on Super AdBlocker on xpassman-v3 for example.

EULA Red Flags

In this particular case EULAs were presented with the software product(s) needed to access the content deceptively advertised by the unknown party. EULA analysis shows additional security software will be added, updates can be made, and home page will be change among other items.

See one EULA Analysis Sample

By accepting it the user grants the software rights to install additional components on the machine. These components or updates may not have cleared appropriate security hygiene processes. In addition no warranty on performance of the software is given.

Also notable among the EULAs displayed, using our automated readability analysis demonstrates above 12-Grade Reading Level skills needed to understand the document based on various readability batteries.

Flesch Grade: Beyond Twelfth Grade reading level
Automated Readability Index: Beyond Twelfth Grade reading level
Coleman-Liau Index:Beyond Twelfth Grade reading level
Gunning-Fog Index: Beyond Twelfth Grade reading level

Technical Background: How Did Blogspot Do This?

The attack is quite subtle. Put simply it uses obfuscated or "garbled" JavaScript.

Inspecting the inside of the source code of the blog entry, we noted a JavaScript calling a function decode().. We noted there was no simple redirection code found from the page source code at first glance. We also noted only the random numbers stored as a string. Function name itself decode, which was the hint to decode the whole function. Let us take a look at the original source code:

Click to Enlarge Screenshot

Now let us examine the screenshot of the "decoded" code:

Click to Enlarge Screenshot

Explanation of Code:
The code says if the blog is referred by any of the following major search engines:

Google
MSN
Yahoo
AOL
Ask
Altavista

Then it will open the URL http://www.toptravel10.com/search.php?aid=<*****>&q=World+Cup, which calls into action the redirection system. Therefore, the writer of this code is actively looking to intercept search traffic and move it somewhere else and the code writer is doing this with obvious intent.

However, if the blogspot address is only pasted or typed into the address bar of the IE browser it will redirect to MSN search result with the keyword "World Cup 2006". As we know from the above search result screen capture 3 out of the first 10 MSN natural search results could most likely be the same kind of tainted Blogspot entries. Clicking any of the entries will again redirect to the same system. This puts the user into a dangerous cycle. We qualify "most likely" because top ten entries can and do change dynamically beyond control of users.

Controlling the Deceit

In this case there is no need to change the source code of the page because the operator of toptravel10 domain has set-up a complex server-side, auto-rotation system of unknown make-up. The tainted Blogspot URLs used the URL http://www.toptravel10.com/search.php?aid=56340&q=World+Cup as a mediator. The Blogspot URLs will to open this page when called. At this point the toptravel10 domain's system decides where the user is redirected. The mediator remains constant and links to different URLs over a given period of time. In this entry the researcher was referred to a Russian Web-site, second ICOONet(Adult DVD Downloader), and now the mediator links to VideoGalleries which in turn offers adult oriented software.

It is also notable the ownership information for the toptravel10.com domain is cloaked through a proxy registration service.

Why Use Blogspot?

Blogspot has been the target for similar attacks in the past. Researcher Ben Edelman?s concern about blogspot will help us understand why this case is important. From his article:

?...Numerous blogs hosted at Google's Blogspot service contain JavaScript that tries to trick users into installing unneeded software..."

In this instance the obfuscated JavaScript not only impacts the quality of search engine results it also acts as a more complex line of redirects to distance the designer from the scene.

Why MSN Search?

As researchers, we might ask: "Why would someone target the MSN search system?"

The logical reasons would probably be most of the Windows based O/S use default redirection to MSN search and/or the orchestrator had some mastery at gaming the Microsoft ranking algorithm.

Examples of tainted URLs are:

http://worldcup2006z.blogspot.com
http://footballwordcup2006.blogspot.com
http://fifaworldcup2006-.blogspot.com
http://-fifaworldcup2006.blogspot.com

(Note: After contacting Google last week- these are now offline!)

.Are There More?

Yes. One such instance was found for the keyword "AIRLINE TICKETS".

These blog URLs may also be redirected to the same pornographic galleries, again depending on the system of rotation.

List of the following blog URLs for the keyword "AIRLINE TICKETS".

http://airlineticketsz.blogspot.com
http://cheapairlineticketsz.blogspot.com

Conclusion and Final Notes:

A solution was already offered by Ben Edelman:

"...What should Google do? Google already disallows JavaScript within Blogspot.com posts. Apparently Google considers embedded JavaScript too risky -- too likely to trick, deceive, or otherwise take advantage of users. But Google oddly allows JavaScript to be added to Blogspot headers and navigation bars. This decision should be reversed..."

In terms of football (soccer) this is the equivalent of a "Yellow Card".

We must add the following caution and warning on the tactical approach.

In this particular case the unknown party used some technological sophistication coupled with knowledge of world events, search engine algorithms and planning. However, the party used poor targeting.

Let us explore a "what if" scenario...

What if the same system, using football (soccer) keywords were used to trick a user to open a page that asked them to view 'World Cup Bloopers' or 'World Cup Highlights' or lured users with a fake video over a 'disputed call' or 'insider interview' cobbled together from pirated video footage? The user, now contextually targeted would probably click and any number of hostile scenarios could be played out. The attack would only limited by the creativity and motivation of the operator.

To use our football analogy again- this is a "Red Card".

LATE ADDITION: We have contacted Google about our concerns pointing out the problem around the World Cup spam and they reacted rapidly. Initial research seems to show they scoured Blogspot and removed the tainted URLs so World Cup fans wouldn't fall into this trap during the championship weekend. However, the root of the problem still remains. What to do about the JavaScript? Ultimately that is a problem Google will have to solve.

The problem has been pointed out before- history should be the teacher.

Blog Summary Write-Up: Wayne Porter, Sr. Dir. Greynets Research
Technical Research: Peter Jayaraj, FSL Threat Researcher

....kind of. There's something of a storm brewing, and it all centers on this writeup by Ben Edelman, and his refusal to hand over the rogue affiliate details to 180 Solutions.

On the one hand, 180 are claiming that their security procedures are fine...on the other, they are essentially making the security researchers a part of their seemingly broken loop. I'm reminded of that old line about not having your cake and eating it, but oh well. You can try, I guess...

As Wayne Porter says on his Revenews Weblog:

Many researchers have done this to help educate the public, law enforcement and the legal eagles, and it has had some effect. However the routine grows stale when Company X utilizes said research to clean up their network and then claim how great they are at making the Internet a better place and being proactive. (These are my words not those of any company I work for.)

Can you almost feel the inflection point shimmering before you in the battlefield air? Can you see the line in the sand being drawn? I can. I think in the future the anti-spyware minutemen will continue to fire volley after volley only instead of giving out the full dose of lead they are going to release only what needs to be released to call attention to the bad behavior and leave the rest in reserve as ammo for the real guns that are slowly pivoting into the battlefield.

Yep. I can see the line in the sand.