Posts tagged “PPC”

Black Hat SEO, PPC & RogueAV Part 2



Part 1 of “Black Hat SEO, PPC & RogueAV” focused on the type and amount of incoming traffic generated through BlackHat SEO methods. This traffic is monetized through the use of RogueAV, Pay-Per-Click and Pay-Per-Install affiliates. This post continues the analysis of this campaign by providing a inside look at this BHSEO operation.

The attackers acquired lists of thousands of FTP server credentials. The attackers may have purchased the compromised accounts from others in the cybercrime underground or harvested them from other operations. The attackers use several scripts to login to the FTP servers and upload their SEO scripts. The initial script uploaded to the compromised servers performs the following functions:

  • downloads the latest version of a redirection script
  • downloads a list of search queries
  • creates the files “tpl.txt”, “folders.txt” and “.htaccess”
  • creates a directory “wp-blog” that contains the files “go.php” (the downloaded redirection script), “keys.txt”, “nishe.txt”, “pages.txt” and “.htaccess”

The list of search queries are paired with random file paths in order to create pages on demand based on the search queries. When a request comes in, the redirection script check to see if the “referer” is from a search engine and if the the request appears to have been made by a “bot”. The latter function is performed by parsing the “user agent” header to check, for example, for indicators of a search engine crawler. If the “referer” is a search engine and the request is not made by a “bot”, the request is redirected to the SEO server. If either of these checks fail, the script will lookup the requested path to retrieve the search query it has been paired with.

http://127.0.0.1/eQikAjL8uovt/||chakra labels printable
http://127.0.0.1/eQpu8kNxWSo/||t mobile rebate printable
http://127.0.0.1/eQWiaZsv/||printable instructions for sand castles
http://127.0.0.1/eQouHA8/||printable hanukkah song lyrics
http://127.0.0.1/eQzVWiZjIpoh/||4tth of july printable crown

Then the script will take the search query and retrieve the results for the query from Google and display the content using the “tpl.txt” file, which is a template based on the look and feel of the compromised website. The links in the page point to the additional search query / file path pairings.

These pages are indexed by search engines and the search queries become associated with the malicious pages. In addition, when a user queries a search engine, and lands on the malicious page, the user’s request is redirected to the SEO server along with the query that the user searched for. These queries are collected and feed into the search query lists used by the attackers.

At last count the attackers had uploaded their SEO scripts to 11,978 servers, and although the server appears to have been abandoned on 2010-09-20 the figures from earlier in the campaign indicate that the attackers were able to attract significant amounts of traffic.

The attackers recorded the referring domain name as well as the search query used to arrive at the compromised domain. These records along with the number of hist were recorded by the attackers and available from an unprotected web interface.

In order to monetize their operation, the attackers used several affiliates. Users that the attackers detected were running non-Windows operating systems were redirected to pay-per-click affiliates at these domain names: www.rivasearchpage.com and www.offersfair.com. Windows users were redirected to RogueAV landing pages.

The Rogue AV affiliates supply “landing page” URLs to their fake scanning pages that attempt to trick the user into installing the fake security software. These URL’s change over time, and the attackers maintain scripts that update these URLs so that user are redirected to fresh URLs that are less likely to have been identified and blocked by the security community.

RogueAV_1:

url: http://ed2aa7.robertodefeaternow.com/ren/?2737=caeo&ca0f394=bc7oe7eea8&945aa=bc86zzo8za
file: db2d504abeedce8b404a1f5514989689 powersecure_2049_emr7.exe
VT: 3 /43 (7.0%)

RogueAV_2:

url 1: http://www3.sobaka-kaka.com/?[…]
url 2: http://www1.highguardsoftat.net/?[…]
file: 90245bf674ff3b16653fc6f7d191dead packupdate107_289.exe
VT: 18 /43 (41.9%)

Pay-Per-Install (PPI)

file: 02e62d95997b7db323175910bf14e19c file.1.exe
VT: 10/ 43 (23.3%)

This affiliate provides a URL that produces dynamic malware binaries. The attackers attempt to trick users into installing the malware by pretending that it is Adobe’s Flash player. The attackers script periodically queries the affiliate’s distribution point to receive a new binary, each new binary has a different hash value.

In addition, the attackers used malware detection services to scan the binaries to see how AV products detected them. The attackers used scan4you.biz, which Brian Krebs documented earlier this year, as well as ghostbusters.cc.

When executed this trojan attempt to connect to intromem.com and imagehut4.cn along with several other domains (murambus.net, aboutkayndu.net, officialgigaify.net, kataburglary.net, ftuny.com, 2youg.com) followed by numerous connections to ad servers.

In summary, this is not a complicated operation and is largely automated. The system collects what users search for and then creates fake pages based on those queries. search engines are fed these bogus pages and users are redirected to the SEO server that collects statistical information and the forward the user on to a monetization strategy either RogueAV, PPI or PPC. All the attackers need is a fresh supply of compromised FTP credentials which can be purchased in the cybercrime underground.

Black Hat SEO, PPC & RogueAV



Search Engine Optimization (SEO) is a term that refers to efforts to increase the rankings of a website so that it appears in the top results when searching for particular key words in a search engine. Black Hat SEO refers to “unscrupulous” SEO techniques often used to promote Rogue/Fake security software and pay-per-click (PPC) advertisement schemes. (See “Poisoned search results” by Sophos for details. See Trend Micro’s posts Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks and Making a Million, Part Two—The Scale of the Threat for an understanding of PPI/PPC relationships as well as RogueAV/FAKEAV). Using Black Hat SEO malicious actors are able to have their content displayed in search engines when users search for particular, usually popular, keywords. When users click on these links, they are taken to either PPC websites or RogueAv websites. The malicious actors are paid for this traffic by their PPC and RogueAV affiliates.

Dancho Danchev recently profiled a campaign using compromised .nl and .ch websites to push PPC and RogueAV installations. This post provides some additional details on the campaign.

The actors behind the campaign are using, among other techniques, compromised FTP accounts to upload malicious files to web servers around the world. Compromised FTP credentials are readily available for purchase in the malware ecosystem and are often used to propagate malware. Malicious files are uploaded to compromised websites with snippets of text based on particular search phrases. This files are designed so that when users search for certain key words in search engines, these malicious sites are high ranked in the results. While the search engines see this content, when users click on links they are redirected to the malicious server and on the PPI affiliates or RogueAV landing pages.

The servers used by the malicious actors to receive incomping requests from the compromised web servers are using numerous domain names that resolve to several IP addresses (see malwareurl.com and malwaredomainlist.com). Despite the multiple IP addresses and domain names, they all really point to the same server. Based on “referer” logs generated by the malicious server used in the campaign, I’ve compiled statics on the amount of traffic generated by the campaign to the “/liq/?st=” page between 2010-03-15 and 2010-08-18.

A total of 5,054,990 unique IP addresses generated a total of 9,003,188 page views between 2010-03-15 and 2010-08-18. Most of the traffic (45.99%) originated from the USA. Significant traffic was also generated from the United Kingdom, Canada, Australia and India.

Country Pageviews
US 4141181
N/A 2120320
GB 584884
CA 426338
AU 192713
IN 145287
NL 94310
DE 75934
PH 72625
FR 47163

The traffic to the malicious server is primarily generated from search engine results. Google.com was the most prominent referrer with 52.18% of all the traffic. While Yahoo! was also a source of a significant amount of referrals, Bing only accounted for 631 referrals.

Referer Pageviews
www.google.com 4698249
www.google.co.uk 610156
search.yahoo.com 532038
www.google.ca 479531
www.google.com.au 241546
www.google.co.in 174538
www.google.nl 99944
www.google.com.ph 92154
search.conduit.com 87652
N/A 77259

The following table shows the keywords that appeared most frequently in the queries users entered into search engines. The queries ultimate brought the user to the malicious actors’ server and on to their PPC and/or RogueAV affiliates landing pages.

Keyword Pageviews
free 621148
printable 574588
powered 251541
letter 193575
phpbb 171689
template 168488
kids 133337
worksheets 129167
with 129162
sale 115484
pictures 110804
sample 108331
grade 105488
coloring 98791
weather 85056

In total, 81.89% of all the pageviews were from computers running Windows (XP, Vista, 7) with 49.82% from XP systems. Most of these systems were probably redirected to RogueAV landing pages (I have not seen RogueAV targeting any platform other than Windows). Realizing that income can be generated from non-Windows traffic as well, the malicious actors redirected traffic to a PPC affiliate.

Operating System Pageviews
Windows NT 5.1 4485923
Windows NT 6.0 1855129
Windows NT 6.1 1032128
Linux i686 297166
Intel Mac OS X 10_5_8 203142
Intel Mac OS X 10.5 86777
Intel Mac OS X 10_6_3 85120
Intel Mac OS X 10_6_4 73613
Intel Mac OS X 10.6 68535
CPU iPhone OS 3_1_3 50709
Intel Mac OS X 10_4_11 50346

Microsoft’s Internet Explorer accounted for 58.92% of the total pageviews, followed by Firefox. Mobile phones (iPhone, Blackerry, Android) accounted for 172,674 pageviews.

Browser Pageviews
IE 8.0 2420222
IE 7.0 1852866
IE 6.0 1026844
Firefox 3.6.3 585996
Firefox 3.5.5 268225
Chrome 5.0.375 222611
Firefox 3.6.8 214800
Safari 4.0.5 199939
Firefox 3.6.6 177534
Chrome 4.1.249 169083

How does it work?

Malicious files are uploaded to the compromised sites that contain links and text based upon lists of search queries. The snippets of text and links are used to boost the ranking of these sites in search engines. As a result, when users query search engines, the compromised websites appear in the results. When users visit these sites they are redirected to a server under the control of malicious actors.

These pages sometimes redirect users to RogueAV landing pages, and, other times display the content of the SEO pages that are generated to improve the search engine ranking for the malicious actors.

When users click the links in the search results, they are redirected to the malicious actor’s server and on through to wither their PPC affiliate’s or their RogueAV affiliate’s landing pages. In the case of RogueAV, these landing pages display a “scare page” that prompts the user to install the RogueAV software.

http://tasteandflavour.co.uk/081018/?iWeabZ2sRIt redirects to http://ebmipqasrj.ru/liq/?st=tasteandflavour.co.uk which redirects to http://erribhxzerr.co.cc/r/feed.php?k=printable+inurl%3A081018+site%3A.uk which redirects to http://erribhxzerr.co.cc/tube/?k=printable+inurl%3A081018+site%3A.uk which redirects to http://erribhxzerr.co.cc/r/sss.php which then redirects to the RogueAV affiliates http://www4.checkpc98.co.cc/?p=p52dcWpscV%2FRlsijZFahqJ51ll7DZJOejpeblGY%3D which redirects to http://www2.security-soft81.co.cc/?p=[redacted] which redirects to http://www1.cure-my-pc41.co.cc/gmug9_289.php?p=[redacted] to download the executable packupdate9_289.exe.

File name: packupdate9_289.exe
MD5: ec28207e2e63f62e6c6d71cbabeaa151
VT: Result:6/ 40 (15.0%)

The domains of the RogueAV affiliate change frequently. In addition, the RogueAV binaries also change frequently. These changes make it more difficult for security products to protect users. For example, in this case only 6 of 40 AV products on VirusTotal detected the RogueAV binary.

On some occasions, users are redirected to a PPC affiliate. This allows the malicious actors to earn income for the traffic being pushed to the PPC affiliates search engine.

http://jjp.ch/hvuWovM/ redirects to http://ebmipqasrj.ru/liq/?st=jjp.ch

http://ebmipqasrj.ru/liq/?st=jjp.ch redirects to http://errh2hxzerr.co.cc/search/?q=printable+colorful+asl+charts+or+flash+cards&aid=810&said=trend&n=5

http://errh2hxzerr.co.cc/search/?q=printable+colorful+asl+charts+or+flash+cards&aid=810&said=trend&n=5 redirects to http://www.rivasearchpage.com/?q=printable+colorful+asl+charts+or+flash+cards&aid=810&said=trend&n=5

After passing through a variety of redirects through the malicious actor’s server (ebmipqasrj.ru and errh2hxzerr.co.cc) the user ends up at the PPC affiliate page.

Some visitors are directed to download a malware binary posing as Adobe Flash Player.

Adobe__Flash__Player.exe
MD5: 658bb224c030542de22a9997e65f27e5
VT: 14/ 42 (33.3%)
Anubis Report

Traffic from over 5 million IP addresses totaling over 9 million page views in the last five months (2010-03-15 and 2010-08-18) passed through a malicious server and on to either PPC affiliates or RogueAV landing pages. This case is a good example of the profit-driven malware ecosystem. The malicious actors behind the campaign acquired (possibly from a third party) compromised FTP credentials for legitimate websites and used Black Hat SEO techniques to poison search engine results. They then redirected a significant amount of traffic through their own malicious infrastructure through to their PPC and Rogue AV affiliates. The malicious actors behind this campaign did not need a high degree of technical proficiency, the ability to program deceptive viruses and trojans or 0day exploits (or any exploits at all). All they did was leverage resources within the malware ecosystem in order to act as a “traffic broker” and redirect traffic to others within the malware ecosystem in order to generate income.

Traffic Direction Systems



Traffic Direction Systems (TDS) are used as landing pages that direct traffic to malicious content based on a variety of criteria such as operating system, browser version and geographic location. There are a variety of TDS systems available including Sutra TDS (www.kytoon.com/sutra-tds.html). Finjan posted an interesting analysis of one campaign (it no longer appears to be available) in which they tracked the use of the TDS through from the use of a malicious iframe embedded in a compromised website to an exploit pack that attempts to compromised the user based on the types of (vulnerable) software the user has installed.

The statistics pages of some of sites using SUTRA TDS (home-sd.com, sutbizka.ru and new-xmading.ru) were retrieved from the Google cache.

home-sd.com (stolencinema@hotmail.com)

sutbizka.ru (riko246@bk.ru)

new-xmading.ru (riko246@bk.ru)

I found it interesting that the highest percentage of traffic to sutbizka.ru and new-xmading.ru was from Russia. The top referrers were generally porn sites and pay-per-click sites. Pay-per-click sites are an important part of converting botnet traffic into income. In a great two-part post (Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks and Making a Million, Part Two—The Scale of the Threat) Trend Micro explores the relationship between these pay-per-click traffic brokers, click fraud and botnets.

Two of the top referrers to sutbizka.ru and new-xmading.ru were pay-per-click brokers media-click.ru and protizer.net.

Now, its not entirely clear what activities home-sd.com, sutbizka.ru and new-xmading.ru are engaged in, but some additional searches revealed connections with malicious activity.

For example, the email address used to register home-sd.com (stolencinema@hotmail.com) was also used to register sespeed.info which Malware URL has linked to the distribution of RogueAV/FAKEAV software. The email address used to register sutbizka.ru and new-xmading.ru (riko246@bk.ru) has been linked to several trojans by MalwareDomainList.com.

While there are malicious activities associated with common IP addresses and email addresses it is important to note that the details of linkages between all the activities remain unclear. Domain names registered with one email address maybe sold to or used by someone else. Moreover, many malicious sites may be hosted on a single IP address especially when one can purchase crimeware-friendly hosting. So, while the activity can be located within concentrations of malicious activity, and it makes sense to cluster this activity, it is important to remember that there are complex linkages between criminal actors in the malware ecosystem.