Click Fraud via Botnets

Tuesday, May 8. 2007
Another phenomenon we observe from time to time is click fraud caused by botnets: the botherder instructs the bots to visit a certain web site and all bots then open the site and cause a click. This can be useful for automated fraud via clicks on ads or the manipulation of votes like the following four (sanitized) examples show:
.visit http://pagead2.googlesyndication.com/pagead/iclk?sa=l&ai=B8z[...]
&num=2&adurl=http://www.XXXex-billionaire.com&client=ca-pub-8277125265[...]&nm=22

.vizit http://pagead2.googlesyndication.com/pagead/ads?client=ca-pub-05841[...]
&dt=1178[...]&lmt=1178[...]&format=728x90_as&output=html&channel=9949[...] &url=http%3A%2F%2Fwww.XXX-mp3.us%2FMusic%2F&ad_type=text
&ref=http%3A%2F%2Fwww.XXXmp3.us%2F&cc=100&flash=9&u_h=864 &u_w=1152&u_ah=804&u_aw=1152&u_cd=32&u_tz=120&u_his=2&u_java=true

.open http://www.fallenXXX.com/?ref=293375

.visit http://www.shXXX.net/chat1/vote.php?VID=1313
Posted by Thorsten Holz in malware at 10:51 | Comments (0) | Trackbacks (0)

IRC-Botnet Channels

Monday, May 7. 2007
On a typical day, we analyze between 40-50 IRC-based bots that successfully connect to their C&C server. When analyzing these bots, we also keep track of the channel topic in order to observe trends and spots new bot variants. The following listing shows the botnet channel topics for yesterday:
12 : =DvFdgNVh+JvueFDRdUbN7jfpRH&+t9I1B7V5xHfjCH9jmqzHLiLH6Zl[...]
9 : xvvv msass 150 0 0 -b -r -s
4 : xvvv asn139 150 0 0 -b -r -s
3 : .asc asn1smb 200 0 0 -r -b
2 : .scanall -b -r -a -s
2 : .k1ng.root asn445 200 4 0 -b -r
2 : .advscan asn1smb 50 5 0 -r
1 : zasc lsass_445 200 5 0 -b -r
1 : =320zAyMVhEGmtqT74wK9HD8DhqA0Ccno6ZHIygtIqjOx85Ygi1gNpHdEpX[...]
1 : =0LzmBRdf3nOwPmxZDQa1phEvUEA+cUlicB044hPPH4JAHyZD1tsSQ9xLLcSw
1 : .root.mass -a -r -b
1 : .raw join #scan1,#fatalimpact
1 : .asc asn445 200 5 0 -b -r -s
1 : .asc asn1smb 101 5 0 -r -s
1 : .advscan kt1 200 5 0 -r -a -s
1 : .advscan dcom135 150 5 0 -b -s
1 : .advscan asn1smb 50 3 0 -b -s
1 : .advscan asn1smbnt 120 4 0 -r -s
1 : .advscan asn1smbnt 100 3 800 -b -r
1 : #advscan dcom135 100 0 0 -r -b

The first column displays the number of binaries with a different MD5 sum that have joined a channel with the same topic.
We have three unique encrypted botnets which can be easily spotted due to the channel topic starting with an = sign. Furthermore, we see that the typical command is propagation: the bots are instructed to search for other victims and scan their neighborhood for vulnerable machines.
Posted by Thorsten Holz in malware at 08:02 | Comments (0) | Trackbacks (0)

The SOCKS Diaries

Sunday, May 6. 2007
Something I should have blogged about several weeks ago: "The SOCKS Diaries" by William Salusky are a must-read.
Posted by Thorsten Holz in malware at 11:34 | Comments (0) | Trackbacks (0)

Collecting Malware via Botnet Tracking

Friday, May 4. 2007
I blogged about collecting malware via botnet tracking earlier in January this year. The whole system is now ready: when we track a botnet with botspy and find a URL, we download that URL and submit it to CWSandbox. The analysis report is then fed back into botspy, so we can also follow botnets that change the C&C server or install other kinds of remote control software. In total, we have collected 441 unique binaries that way during the last few weeks.

These binaries are typically some kind of bot or keylogger. The detection rate of common AV-software is typically not really good, presumably since they do not yet have a sample. The following report is for ClamAV:
----------- SCAN SUMMARY -----------
Known viruses: 113987
Engine version: 0.90.1
Scanned directories: 1
Scanned files: 441
Infected files: 153
Data scanned: 222.17 MB
Time: 73.564 sec (1 m 13 s)

Detected malware:
288: OK
17: Exploit.DCOM.Gen
14: Trojan.Mybot-1445
6: Trojan.Spybot.gen-2
4: Trojan.SdBot-4179
4: Trojan.IRCBot-798
3: W32.Parite.B
3: Trojan.IRC.Flood.AQ
3: Trojan.Ioffer
Posted by Thorsten Holz in malware at 08:31 | Comments (0) | Trackbacks (0)
(Page 1 of 1, totaling 4 entries)