Part 1 of “Black Hat SEO, PPC & RogueAV” focused on the type and amount of incoming traffic generated through BlackHat SEO methods. This traffic is monetized through the use of RogueAV, Pay-Per-Click and Pay-Per-Install affiliates. This post continues the analysis of this campaign by providing a inside look at this BHSEO operation.
The attackers acquired lists of thousands of FTP server credentials. The attackers may have purchased the compromised accounts from others in the cybercrime underground or harvested them from other operations. The attackers use several scripts to login to the FTP servers and upload their SEO scripts. The initial script uploaded to the compromised servers performs the following functions:
- downloads the latest version of a redirection script
- downloads a list of search queries
- creates the files “tpl.txt”, “folders.txt” and “.htaccess”
- creates a directory “wp-blog” that contains the files “go.php” (the downloaded redirection script), “keys.txt”, “nishe.txt”, “pages.txt” and “.htaccess”
The list of search queries are paired with random file paths in order to create pages on demand based on the search queries. When a request comes in, the redirection script check to see if the “referer” is from a search engine and if the the request appears to have been made by a “bot”. The latter function is performed by parsing the “user agent” header to check, for example, for indicators of a search engine crawler. If the “referer” is a search engine and the request is not made by a “bot”, the request is redirected to the SEO server. If either of these checks fail, the script will lookup the requested path to retrieve the search query it has been paired with.
http://127.0.0.1/eQikAjL8uovt/||chakra labels printable
http://127.0.0.1/eQpu8kNxWSo/||t mobile rebate printable
http://127.0.0.1/eQWiaZsv/||printable instructions for sand castles
http://127.0.0.1/eQouHA8/||printable hanukkah song lyrics
http://127.0.0.1/eQzVWiZjIpoh/||4tth of july printable crown
Then the script will take the search query and retrieve the results for the query from Google and display the content using the “tpl.txt” file, which is a template based on the look and feel of the compromised website. The links in the page point to the additional search query / file path pairings.
These pages are indexed by search engines and the search queries become associated with the malicious pages. In addition, when a user queries a search engine, and lands on the malicious page, the user’s request is redirected to the SEO server along with the query that the user searched for. These queries are collected and feed into the search query lists used by the attackers.
At last count the attackers had uploaded their SEO scripts to 11,978 servers, and although the server appears to have been abandoned on 2010-09-20 the figures from earlier in the campaign indicate that the attackers were able to attract significant amounts of traffic.
The attackers recorded the referring domain name as well as the search query used to arrive at the compromised domain. These records along with the number of hist were recorded by the attackers and available from an unprotected web interface.
In order to monetize their operation, the attackers used several affiliates. Users that the attackers detected were running non-Windows operating systems were redirected to pay-per-click affiliates at these domain names: www.rivasearchpage.com and www.offersfair.com. Windows users were redirected to RogueAV landing pages.
The Rogue AV affiliates supply “landing page” URLs to their fake scanning pages that attempt to trick the user into installing the fake security software. These URL’s change over time, and the attackers maintain scripts that update these URLs so that user are redirected to fresh URLs that are less likely to have been identified and blocked by the security community.
RogueAV_1:
url: http://ed2aa7.robertodefeaternow.com/ren/?2737=caeo&ca0f394=bc7oe7eea8&945aa=bc86zzo8za
file: db2d504abeedce8b404a1f5514989689 powersecure_2049_emr7.exe
VT: 3 /43 (7.0%)
RogueAV_2:
url 1: http://www3.sobaka-kaka.com/?[...]
url 2: http://www1.highguardsoftat.net/?[...]
file: 90245bf674ff3b16653fc6f7d191dead packupdate107_289.exe
VT: 18 /43 (41.9%)
Pay-Per-Install (PPI)
file: 02e62d95997b7db323175910bf14e19c file.1.exe
VT: 10/ 43 (23.3%)
This affiliate provides a URL that produces dynamic malware binaries. The attackers attempt to trick users into installing the malware by pretending that it is Adobe’s Flash player. The attackers script periodically queries the affiliate’s distribution point to receive a new binary, each new binary has a different hash value.
In addition, the attackers used malware detection services to scan the binaries to see how AV products detected them. The attackers used scan4you.biz, which Brian Krebs documented earlier this year, as well as ghostbusters.cc.
When executed this trojan attempt to connect to intromem.com and imagehut4.cn along with several other domains (murambus.net, aboutkayndu.net, officialgigaify.net, kataburglary.net, ftuny.com, 2youg.com) followed by numerous connections to ad servers.
In summary, this is not a complicated operation and is largely automated. The system collects what users search for and then creates fake pages based on those queries. search engines are fed these bogus pages and users are redirected to the SEO server that collects statistical information and the forward the user on to a monetization strategy either RogueAV, PPI or PPC. All the attackers need is a fresh supply of compromised FTP credentials which can be purchased in the cybercrime underground.
