Trend Micro, Incorporated Trend Micro Threat Research A Trend Micro White Paper I August 2009
TABLE OF CONTENTS INTRODUCTION...3 THE CYBERCRIME COMPANY...4 ROGUE DNS SERVERS...5 INTRANET OF CYBERCRIME...6 NETWORK OF SOCKS4 PROXIES...7 REPLACING ADS...8 HIJACKING GOOGLE SEARCH QUERIES...10 PUSHING ROGUE ANTIVIRUS...12 CONCLUSION...14 2 WHITE PAPER A CYBERCRIME HUB
INTRODUCTION Tartu, Estonia is the hometown of an Internet company that, from the outside, looks just like any other legitimate Internet service provider (ISP). On its website (see Figure 1), the company lists services such as hosting and advertising. According to publicly available information, it posted more than US$5 million in revenue and had more than 50 employees in 2007. Figure 1. The corporate website of the Estonian company In reality, however, this company has been serving as the operational headquarters of a large cybercrime network since 2005. Its employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers from its office in Tartu. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts. This does not cause much harm to the operation as a whole, however, as the same cybercriminal just continues its business under a new name. In fact, constantly changing names is part of the company s business model with a few constants, one of which is the mother company in Tartu. Although explicit evidence exists that the Estonian company is heavily involved in cybercrime, the company could also be just another façade of a bigger cybercriminal gang whose investors reside in another country like Russia or the United States. In fact, it is not at all unlikely that foreign criminal investors put their money into the Estonian company so they do not have to do the dirty work themselves. This paper provides detailed data on some of the cybercrimes that this Estonian company has been involved with. It also provides advertising fraud statistics committed on legitimate websites. Furthermore, it explains the backend structure of Figure 2. The corporate website of one of the Estonian company s many daughter companies fraud with Google search queries and shows that around 100,000 unique Internet users per day get a bogus message saying, You are infected with a virus, please download this piece of free antivirus software, whenever they attempt to access high-traffic pornography websites. Finally, it also briefly discusses the internal network of the Estonian company, which shows how all of its activities relate to one another. 3 WHITE PAPER A CYBERCRIME HUB
THE CYBERCRIME COMPANY The director of the Estonian company has been convicted for credit card fraud but he was still able to build a network of companies in Europe and in the United States. His companies continue to offer the following services: Web hosting Advertising Internet traffic distribution Pay-per-click (PPC) advertising Parking domain site hosting The director of the Estonian company has been convicted for credit card fraud but he was still able to build a network of companies in Europe and in the United States. All of the above-mentioned activities are part of the same criminal operation. At present, the company owns a few networks in the United States and leases or owns servers in numerous datacenters around the world. Spreading its activities over several datacenters lowers the risk that it will suddenly go out of business when upstream providers terminate their services. This is exactly what happened in Fall 2008 when the Internet connectivity in its datacenter in San Francisco was terminated. This caused serious problems for the business but was quickly averted by moving to other datacenters. A lot of the company s employees seem to be young students who are somewhere in their 20s and live in the Tartu area in Estonia. A few of them have acted as spokesmen for the company, flatly denying serious allegations made against it such as that on the site of Washington Post blogger, Brian Krebs. These spokesmen must be fully aware of what the company is doing while some of the other employees may not completely realize the implications of the work they do. Some of them do not hesitate to make their identities and their activities known. For instance, a Web developer who joined the company in 2008 proudly published a portfolio containing sites that he developed during his employ. This is a natural thing to do for a Web developer. In this case, however, his portfolio consisted not only of corporate websites but also of websites that have been used to lure Internet users to install Trojans that posed as helpful software such as video codecs and file compression software. 4 WHITE PAPER A CYBERCRIME HUB
ROGUE DNS SERVERS One of the Estonian company s biggest assets is a set of hundreds of rogue Domain Name System (DNS) servers that have been active since 2005. These DNS servers look like ordinary recursive DNS servers. The only difference being they resolve thousands of domain names to foreign malicious IP addresses instead of actual legitimate IP addresses. DNS changer Trojans silently change the settings of victims computers to point to a foreign, rogue DNS server. Their victims are therefore put at great risk, as they can be redirected to any site every time they browse the Internet. They thus become vulnerable to malicious websites and spoofed sites and may become unwitting participants in a largescale click fraud scheme. It appears that the Estonian company controls every step between driving traffic to sites with DNS changer Trojans to maintaining rogue DNS servers. It also appears to maintain the foreign malicious IP addresses to which its victims are redirected to when they attempt to access a site such as Google. The rogue DNS servers have been active since 2005, with high-quality Internet connectivity in datacenters on the East and West coasts of the United States. Its pool of victims is still aggressively expanding today with the aid of advanced social engineering tactics. It appears that the Estonian company controls every step between driving traffic to sites with DNS changer Trojans to maintaining rogue DNS servers. It also appears to maintain the foreign malicious IP addresses to which its victims are redirected to whenever they attempt to access a legitimate site such as Google. 5 WHITE PAPER A CYBERCRIME HUB
INTRANET OF CYBERCRIME The Estonian company appears to be using a network comprising around 280 domain names ending with.intra for its server network. Using.intra domain names for internal servers seems to be a convenient way to automate tasks and to quickly move servers to different locations without the need to change written code. The 280.intra domain names clearly indicate that one gang is maintaining and deploying the vast network of backend website servers that host codec Trojans, websites that drive traffic to these codec sites, servers that host the C&C servers of the codec Trojans, and servers that host the click fraud-related components of the Trojans. portal2.intra 86400 IN A 93.190.x.x codecsoft3.intra 86400 IN A 213.163.x.x metaparser.intra 86400 IN A 67.210.x.x adsclick.intra 86400 IN A 174.142.x.x pharma1.intra 86400 IN A 87.118.x.x tds.intra 86400 IN A 64.86.x.x The table above shows the DNS resolutions of some of the private.intra domain names of the Estonian company s intranet. The following illustrates how backend servers are involved in one particular Trojan infection that occurs when an Internet user visits a website such as vivalatube.com: vivalatube.com is hosted on a backend server called portal2.intra. portal2.intra hosts pornography portal websites like vivalatube.com and drives traffic to examplefooter.com. examplefooter.com hosts a codec Trojan that is supposedly needed to view special video content but is actually a DNS changer. examplefooter.com is hosted on a backend server called codecsoft3.intra. The codec part in codecsoft3.intra is not a coincidence. An infected user is redirected to foreign sites by the Traffic Distribution System at the tds.intra domain (IP address: 64.86.x.x). The infected user sees pharmaceutical ads instead of legitimate ones on many websites he/she is visiting. The ads redirect the user to the pharma1.intra domain (IP address: 87.118.x.x), which advertises Vimax pills. The user s Google toolbar requests get hijacked by the adsclick.intra domain (IP address: 174.142.x.x). The backend server, metaparser.intra, determines which ads the user will see in place of the Google ads. There are several other similar examples that suggest a single company controlling the portals and infection mechanisms involved. One company is behind the pornography sites riddled with Trojan codecs, the C&C servers that are contacted when victims get infected and those used to steal personal information, and the fraudulent ads: everything from the initial infection to exploiting infected hosts. Until Fall 2008, the Estonian company was an Internet Corporation for Assigned Names and Numbers (ICANN)-accredited domain name registrar. Then the cybercriminal gang controlled yet one more step in cybercrime anonymous domain registration. People who complained about domain names like vivalatube.com around that time by contacting the Web registrar or the Web hosting company were in fact sending their complaints to the cybercriminal gang itself. In November 2008, ICANN revoked the company s accreditation, as the association became aware that the company owner was convicted for credit card fraud. 6 WHITE PAPER A CYBERCRIME HUB
NETWORK OF SOCKS4 PROXIES The Estonian company appears to have an extensive network of more than 450 Socks4 proxies hosted on dedicated servers in at least 15 different networks around the world. The internal backend servers of the cybercriminals use these proxies to commit fraud with legitimate search engines. For instance, the Google search queries of DNS changer Trojan victims are relayed via backend servers through proxies to Google s real servers. This enables the company to show real Google search queries to victims and also to hijack search results. The large number of proxies (more than 400) spread the load so that Google does not notice the fraud. The Estonian company appears to have an extensive network of more than 450 Socks4 proxies hosted on dedicated servers in at least 15 different networks around the world. The.intra zone file reflects a network of proxies such as: gfeedproxy5.intra 86400 IN A 72.233.x.x gfeedproxy5.intra serves as an intermediary hop for proxying Google search queries to Google s real servers. 7 WHITE PAPER A CYBERCRIME HUB
A Cybercrime Hub REPLACING ADS Figure 3 shows the CNN website as seen by an infected user (on January 5, 2009, Monday). Everything on it looks normal, except perhaps for the Vimax pills ad. The nature of this ad makes it somewhat unusual that it is being displayed on a mainstream news website. In fact, the Vimax pills ad is not what CNN intended to show to its visitors (see Figure 4). The ad should instead show a car for sale. The Vimax pills ad was inserted by a foreign party who uses DNS tricks to replace legitimate ads with its own ones, committing click fraud. Only Trojan-infected Internet users, however, will see other ads than those originally intended. Those who are not will just see the websites as they were designed. Figure 3. CNN as seen by a DNS changer victim servers outside its network such as the servers of ad agencies like Double Click or Yieldmanager. com. The ads that appear on victims systems, however, are loaded from foreign servers apart from Double Click or Yieldmanager.com instead. The most prevalent Trojans involved here are DNS changer Trojans, which silently modify the DNS settings of victims systems to point to foreign IP addresses. So, how does this fraudulent advertising scheme work? When an Internet user visits a website like CNN, the ads on it are loaded from We found several servers involved in a setup administered by the Estonian company in question. One of the servers in it contained numerous banner ads of varied sizes featuring different campaigns, including the Vimax ads. These banner ads are meant to replace those from ad companies such as Double Click on legitimate websites as shown in Figure 3 above. Figure 4. CNN as seen by an unaffected user 8 WHITE PAPER A CYBERCRIME HUB
Another server hosted spoofed versions of the legitimate websites of ad companies such as ad.yieldmanager.com on Yahoo! These spoofed sites contained scripts that parse ad URLs. For example, the scripts determine the size of the banners that should be embedded in legitimate websites so that the foreign ads can seamlessly replace actual ones. The layout of the site will look the same. Figure 5. Number of legitimate ads replaced by Vimax ads The data gathered from the said servers made it possible to indirectly determine how many ads are actually replaced by Vimax banners per day. Note, however, that the figures presented are just a fraction of the actual number of ads that are replaced every day (see Figure 5). For instance, we know that Double Click ads are replaced by text-based ones, too, which are not counted in the statistics used. When a victim clicks a Vimax ad, he/she is redirected to a pharmaceutical website. It was not surprising to find that this website had its own backend server in the company s.intra network with the following DNS resolution: pharma1.intra 86400 IN A 87.118.x.x Using the internal name, as mentioned earlier, makes scripting and monitoring more convenient for these cybercriminals. 9 WHITE PAPER A CYBERCRIME HUB
HIJACKING GOOGLE SEARCH QUERIES The same Estonian company has also been found to hijack Google search queries. In this case, DNS changer Trojan victims unknowingly connect to a spoofed Google site when they perform a search query. When they click a Google search result, they are redirected to a different site than what the search should actually show. Traffic from Google thus gets stolen. This type of scheme primarily targets the google.co.uk, google.com.au, google.ca, google.de, google.es, google.fr, and google.it sites. Other major search engines like Yahoo! and Microsoft s bing.com are targeted as well. Figure 6. How the Estonian company hijacks Google search queries To successfully hijack Google search queries using DNS changer Trojans, victims actual Google search queries have to be relayed from a spoofed site to the real one. This allows cybercriminals to display real Google search results on victims browsers. It appears that the Estonian company is relaying the Google search queries of DNS changer Trojan victims through its network, which comprises more than 400 proxies. These proxies spread the load over different IP addresses so Google does not notice the illegal activity. We believe all of these proxies do not belong to compromised hosts, however, but to dedicated servers in datacenters owned or leased by the Estonian company. Apart from relaying victims search queries through the above-mentioned proxies, the said company also caches old search results so that only unique ones need to be relayed to Google. These cache servers are located on the following internal.intra servers as well: gcache1.intra 86400 IN A 69.31.x.x gcache2.intra 86400 IN A 67.210.x.x 10 WHITE PAPER A CYBERCRIME HUB
Figure 7 shows the number of unique Google search queries that the cybercriminal operation hijacks. Note that their uniqueness lies in the originality of the keywords used and not on how many times they have been used in previous queries. Figure 7. Number of unique Google search queries hijacked per day 11 WHITE PAPER A CYBERCRIME HUB
PUSHING ROGUE ANTIVIRUS When victims of DNS changer Trojans attempt to access high-traffic pornography sites such as redtube. com, they will receive a message saying they cannot access the site because they have been infected by a virus that is currently attacking the pornography site. They will then be prompted to download software that turns out to be fake antivirus (see Figure 8). Detailed statistics (see Figure 9) show that in July 2009, around 100,000 unique hosts visited the spoofed pornography site per day. In July 2009, we found that more than 1.8 million unique IP addresses visited the spoofed site and were, therefore, exposed to the bogus warning in a language that depended on their geographic location. This is an astonishingly high number because these Internet users are already victims of a DNS changer Trojan and they are visiting specific porn sites. Figure 8. Rogue version of the redtube.com porn site a DNS changer Trojan victim is redirected to In the unfortunate event that an internet user falls for the bogus virus warnings and installs the fake antivirus, he/she will actually install an additional Trojan on his/her system. The new Trojan frequently annoys the user with warnings that he/she is infected and needs to get a paid subscription for the fake antivirus. When the Internet user decides to purchase one, he/she will be directed to a secure website (see Figure 10). We found that this billing website is controlled by the Estonian company as well. This is reflected in the.intra zone file of the company, details on which are shown in the following table: Figure 9. Number of unique IP addresses exposed to bogus virus alerts while visiting high-traffic porn sites billing.intra 86400 IN A 64.28.x.x billingproxy1.intra 86400 IN A 78.159.x.x billingproxy2.intra 86400 IN A 88.198.x.x 12 WHITE PAPER A CYBERCRIME HUB
The locations of the internal domains billingproxy1.intra and billingproxy2.intra exactly match two secure websites that are being used for selling fake antivirus. Both servers are probably frontend proxies for the actual billing server located at 64.28.x.x (billing.intra). Figure 10. Site where the fake antivirus (Winbluesoft) is sold 13 WHITE PAPER A CYBERCRIME HUB
CONCLUSION This paper discussed some parts of a large ongoing cybercriminal operation that dates back to at least 2005. An Estonian company is actively administering a huge number of servers in numerous datacenters, which together form a network to commit cybercrime. It appears that the company from Tartu, Estonia controls everything from trying to lure Internet users to installing DNS changer Trojans by promising them special video content, and finally to exploiting victims machines for fraud with the help of ads and fake virus infection warnings. The company has spread its assets over numerous Web hosting companies since they got disconnected from a San Francisco datacenter in 2008. Apparently, it learned its lesson and decided to lower the risk of dropping off the Internet. The Estonian company is actively administering a huge number of servers in numerous datacenters, which together form a network to commit cybercrime. TREND MICRO Trend Micro Incorporated is a pioneer in secure content and threat management. Founded in 1988, Trend Micro provides individuals and organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide. For additional information and evaluation copies of Trend Micro products and services, visit our Web site at www.trendmicro.com. TREND MICRO INC. 10101 N. De Anza Blvd. Cupertino, CA 95014 US toll free: 1 +800.228.5651 phone: 1 +408.257.1500 fax: 1 +408.257.2003 www.trendmicro.com 14 WHITE PAPER A CYBERCRIME HUB 2009 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or registered trademarks of their owners.