At the time this article was written, this type of ad-fraud bot was thought to be Asprox. Later, it was generally accepted that this ad-fraud bot was called "Rerdom" and usually packaged along side "Zemot" and possible "Rovnix". This ad-fraud system IS/WAS the primary ad-fraud bot of Asprox and Asprox was probably the primary user of Rerdom, but other botnets later used Rerdom, and Asprox was also known to use other ad-fraud bots (THL has seen Asprox use Asterope/Ropest and Fleervicet on rare occasions). Anyway, so you know, this Ad-Fraud system isn't organic or inherent to Asprox alone. Ok, back to the article....
In a previous article, I detailed almost a stream-by-stream run-down of one instance of an Asprox bot conducting fraudulent advertising traffic.
Now that I've been swimming in this cool-aide for a couple months, I'm starting to figure out what flavor it is.
This article is a generalized explanation of the process a Asprox bot will go thru when conducting advertising fraud so that other people can recognize the general form of network traffic if they see it.
This also only applies to how Asprox botnet does ad fraud around the time this article was written. Looking back at November 2013 data, it seems the flow was entirely different. The documented flow in this article applies starting around December 2013 until Asprox decides to change again.
Asprox enlists Microsoft Windows PC's into its botnet through the use of a trojan that is often called Kuluoz or Dofoil.
These trojans are sent via email in tricky malware-phishing emails of two types. Link-style emails are usually sent from compromised servers, and have html links to other compromised web servers which have a proxy downloader script that provides an exe-in-zip trojan. Attachment-style emails are usually sent from other infected PCs, and the attachment is also an exe-in-zip trojan.
Examples of these emails are:
- White wedding (link style)
- WhatsApp message (link style)
- My CV (attachment style)
- Notice to Appear in Court (attachment style)
When a Windows user runs the kuluoz attachment, the machine becomes basically the property of the Asprox botnet.
The infected machine will contact yet-another compromised web server, usually on port 8080, and will POST and receive back some encrypted data. The mechanics of this check-in process are better explained by smarter people than I, and links to some great articles will be provided at the bottom of this write-up.
If the bot is accepted by the botnet, typically the bot will try an smtp connection to some mail server like a Gmail SMTP server. If the bot finds that it has unobstructed spamming potential, the bot will contact another work-specific server for spamming instructions as detailed in this article.
This article will focus on when the bot is assigned to conduct advertising fraud.
Ad-fraud specific Check-In
The bot will http to a domain like net-forwarding.com (December-ish 2013), net-translscl.com (January to mid-February 2014), or step-count10.com (mid-February onward). A simple GET request like:
The response may be a 200 OK with no data, or a 404 not found. Either way, the bot now knows it can get to Ukraine. I'm just guessing obviously, but I never saw any other data exchanged.
The domains were registered by a registrar called hosthost.biz (aka noc.su) and pointed to 188.8.131.52 in UKRAINE.
Download an executable
The bot then downloads an executable file, initially called "exe.exe" and renamed something like a "Java Update" or "Flash Update" which is usually dropped in \appdata\temp or some place like that. This file often shows as some FakeAV in many anti-virus however, it never does any ransom-ware/scare-ware that you might expect from a Fake AV trojan. The running process will usually be named something like "Windows Defender".
The executable is downloaded from a domain that changes every couple days at least, with a GET url that also changes every day or so. Examples (spaces added):
31 Dec 2913 - pap-tech.com/media/video/
12 Jan 2014 - news-online24.com/libs0.19/jquery/
14 Jan 2014 - engl-evaline.com/libs1.19/jquery
16 Jan 2014 - sugar-freez.com/libs9.81/jquery/
19 Jan 2014 - king-orbit.com/libs/12.21/jquery/
21 Jan 2014 - message-tvit.com/libs19.57/jquery/
28 Jan 2014 - bee-smoka.com/libs29.89/jquery/
31 Jan 2014 - vespula-grants.com/libs37.64/jquery/
03 Feb 2014 - want-giftmore.com/libs41.898/jquery/
05 Feb 2014 - hoegarden-beer.com/lib2.395/jquery/
19 Feb 2014 - gorilla-w-glass.com//libs89/jquery/
20 Feb 2014 - 212-lithium.com/libq3/jquery/
Windows 7 will ask for allow/deny for a fake Java or Flash update. Allowing the execution will cause a reboot and the ad-bot can continue. Windows XP will just reboot and keep going.
All these domains were registered under hosthost.biz (aka noc.su). The IP addresses were all around:
184.108.40.206 Saulhost / Voxility
220.127.116.11 Saulhost / Voxility
18.104.22.168 Saulhost / Voxility
Those are all either Russia, Latvia, or Romania depending on which ip-geo you believe.
Next-level check-in and a tight leash.
The bot will have an ongoing exchange with several domains, using an Asprox-style HTTP POST with encrypted data back-and-forths.
The domains include:
Some of the IP addresses these domains have pointed to include:
22.214.171.124 RUSSIAN FEDERATION
126.96.36.199 RUSSIAN FEDERATION
188.8.131.52 RUSSIAN FEDERATION
184.108.40.206 RUSSIAN FEDERATION
220.127.116.11 UNITED STATES
The URLs take the form of /b/something/24-hexadecimal-chars like
The /b/eve GET will elicit an html "Hi!" response. The others will POST and reply with encrypted data of various lengths.
These communications will happen periodically as long as the bot is running, and may use any of the domains interchangeably.
What are they talking about? Probably exchanging lolcats.
Download another binary file
From the same host where the bot downloaded the "exe.exe" file, the bot will get soft32.dll or soft64.dll depending on the architecture of Windows, 32 or 64 bit. These files look like encrypted binary files, and have no interesting "strings" from the outside. I suppose the exe contains the logic to make use of this "dll" file.
The dll URL isn't as fancy as the exe URL:
28 Jan 2014 - bee-smoka.com/soft32.dll or/soft64.dll
31 Jan 2014 - vespula-grants.com/soft32.dll or/soft64.dll
03 Feb 2014 - want-giftmore.com/soft32.dll or/soft64.dll
05 Feb 2014 - hoegarden-beer.com/r/soft32.dll or/r/soft64.dll
19 Feb 2014 - gorilla-w-glass.com/l67/soft32.dll or something else
The /r/ part started showing up on 5 February 2014. Then around mid February 2014, the url started getting kind-of randomized. I think the 64-bit "dll" file might have gone away also.
Finally, time to DO WORK! - Fake "Search" Sites
Now that all the setup is done, finally some the ad fraud stuff!
The bot will start by visiting a series of totally bullshit "search" websites so that a PPC network can have traffic "referred" to it from something. I'm not sure WHY the bot visits these sites, as the "referer" header can just be used without actually going there, but the bots DO go there. These sites don't actually have links going to the PPC networks, nor to other sites, nor do they have functional "search" capabilities.
Most of these domains were registered under the registrar company "Public Domain Registry" up till the end of January 2014. A series of domain suspensions lead to most of the domains now being registered under... guess? hosthost.biz (aka noc.su)!
I've counted roughly 75 domain names (some good ones too!) from December 2013 to February 6 2014. About half were suspended before the switch from PDF to hosthost.biz. Domains include:
forage-for-penguins.com <-- my personal favorite
olympic-search.com <-- HTF did THAT happen?
Again, they pretty much all point to or around Voxility / Saulhost in Russia / Latvia / Romania
I suppose a bot visiting the site tells the bot that the domain in still valid and thus it can be used for a referer down the PPC or affiliate chain.
Down the PPC or affiliate chain
Next, the bot will visit some site that I like to call the PPC director or PPC router. It takes an HTTP GET request that has a certain referer and hands back a 302 redirect to the appropriate (or chosen?) PPC or affiliate network.
"Oh, BS website 32? Ok, let me send you to Possibly-Shady PPC company 85", said great-get-bbl.com
Some of the domains and IPs for the routing site include:
regir-clk.com 18.104.22.168 saulhost / voxility Germany
eleah-bbc.com 22.214.171.124 saulhost / voxility Germany
great-get-bbl.com 126.96.36.199 saulhost / voxility Germany
tor-host.com 188.8.131.52 saulhost / voxility Germany
You'd think someone would talk to saulhost about this. The bot will launch 5 to 10 "threads" (my term) of traffic that take the fake search site referer through the director, and on down the PPC chain to the ad-serving sites. After the batch of threads finishes, the bot starts over with another batch.
The PPC / Affiliate stuff
Once the "thread" hits the PPC / Affiliate mess, it becomes hard to tell where the criminals end and the legit companies begin. Most of these servers have no publicly-facing company to talk to about the IP addresses. Some of them do. Some are thankful for the data when they get it, others ignore it. I consider these to be "various levels of shady and legit". However, I don't think these are in the same boat as the fake search sites or the director site.
Some of these PPC / Affiliate hosts include:
An example of an easy one to follow, this one goes: director --302-> ppc net --302-> ad site :
Because this PPC / Affiliate company uses 302 redirects and preserves the referer, it is easy to find out what ad serving site the bot went to. It is also easy for someone to tell the PPC network what referers are bots, and which affiliates are sending bots.
Additionally, these networks may be members of other networks, creating several levels of redirection of different types before a "thread" gets to an ad-serving site.
Each "thread" that starts with a fake search site will terminate either at an ad-serving site, some PPC company's honeypot, or simply be dropped before getting that far. Most of the threads in a batch will make it to some website serving ads.
When you see a lot of traffic like doubleclick, bidsystem, rfihub, adexchange, rubiconproject, lijit, pubatic, and other ad companies, those are all the ads being loaded.
A few ad-serving sites I see a lot:
bestmomstv.com <--someone told me mom-themed sites were common in the ad fraud game.
Even without clicking ads, someone has paid for the ad impression at this point. Another aspect to consider is that the site owners may be victims if they are paying for traffic or SEO results.
What about the clicks? Everyone calls it click fraud!
Unless you have visibility on the traffic and data inside the ad companies, it will be hard to distinguish clicks from all the other crazy Lumascape (et al) traffic you see. A page filled with ads will generate a lot of ad traffic. Most clicks are just HTTP GETs or POSTs with lots of data for validation... which looks a lot like all the other ad traffic.
Often, though, you will find a site in your data that doesn't serve any ads. In this example, I found that my bot had visited broadviewuniversity.edu, to a page for requesting info on their business program.
In these cases, you kind-of have to work backwards. Follow TCP Stream to figure out how you got there.
So the bot came from jobsense.com...
...because of a click on an ad from the MSN ad network. You can even see that the jobsense.com "thread" started with local-search.biz, one of the fake "search" websites.
So there you have it.
This article has explained in general terms how the Asprox botnet conducts ad fraud. This may consist of PPC or referral fraud, impression laundering, and click-fraud. It may also include SEO fraud, but none of the ad-serving site owners would respond to my questions so I have no data on that.
This shows the general flow and can help you all recognize what is happening at a glance. Which beats doing "follow TCP stream" one stream at a time for 1000 streams (which I did the first time).
More information on the Asprox Botnet.
Some very good work has been done on this topic, by people far smarter people than I.
Herrcore, pretty much a total badass, wrote this on the Kuluoz / Dofoil trojan and Asprox.
Kimberly, who I still suspect is Russian Mafia, has been working on Asprox too.
Rebus Snippets / Michal Ambroz saved my life one day with his Asprox Malware As A Service article.