Submit to DiggSubmit to FacebookSubmit to Google PlusSubmit to StumbleuponSubmit to Twitter

Introduction


 Update!

At the time this article was written, this type of ad-fraud bot was thought to be Asprox. Later, it was generally accepted that this ad-fraud bot was called "Rerdom" and usually packaged along side "Zemot" and possible "Rovnix". This ad-fraud system IS/WAS the primary ad-fraud bot of Asprox and Asprox was probably the primary user of Rerdom, but other botnets later used Rerdom, and Asprox was also known to use other ad-fraud bots (THL has seen Asprox use Asterope/Ropest and Fleervicet on rare occasions). Anyway, so you know, this Ad-Fraud system isn't organic or inherent to Asprox alone.  Ok, back to the article....


 

In a previous article, I detailed almost a stream-by-stream run-down of one instance of an Asprox bot conducting fraudulent advertising traffic.

Now that I've been swimming in this cool-aide for a couple months, I'm starting to figure out what flavor it is.

This article is a generalized explanation of the process a Asprox bot will go thru when conducting advertising fraud so that other people can recognize the general form of network traffic if they see it.

This also only applies to how Asprox botnet does ad fraud around the time this article was written. Looking back at November 2013 data, it seems the flow was entirely different. The documented flow in this article applies starting around December 2013 until Asprox decides to change again.

Initial infection

Asprox enlists Microsoft Windows PC's into its botnet through the use of a trojan that is often called Kuluoz or Dofoil.

These trojans are sent via email in tricky malware-phishing emails of two types.  Link-style emails are usually sent from compromised servers, and have html links to other compromised web servers which have a proxy downloader script that provides an exe-in-zip trojan. Attachment-style emails are usually sent from other infected PCs, and the attachment is also an exe-in-zip trojan.

Examples of these emails are:

When a Windows user runs the kuluoz attachment, the machine becomes basically the property of the Asprox botnet.

Initial Check-In

The infected machine will contact yet-another compromised web server, usually on port 8080, and will POST and receive back some encrypted data. The mechanics of this check-in process are better explained by smarter people than I, and links to some great articles will be provided at the bottom of this write-up.

If the bot is accepted by the botnet, typically the bot will try an smtp connection to some mail server like a Gmail SMTP server. If the bot finds that it has unobstructed spamming potential, the bot will contact another work-specific server for spamming instructions as detailed in this article.

This article will focus on when the bot is assigned to conduct advertising fraud.

Ad-fraud specific Check-In

Empty shoe

The bot will http to a domain like net-forwarding.com (December-ish 2013), net-translscl.com (January to mid-February 2014), or step-count10.com (mid-February onward). A simple GET request like:

net-translscl.com/b/shoe/159
net-forwarding.com/b/shoe/159
step-count10.com/b/shoe/159

Picture of bot trying net-translscl.com or net-forwarding.com to test connectivity.

The response may be a 200 OK with no data, or a 404 not found. Either way, the bot now knows it can get to Ukraine. I'm just guessing obviously, but I never saw any other data exchanged.

The domains were registered by a registrar called hosthost.biz (aka noc.su) and pointed to 193.105.210.113 in UKRAINE.

Download an executable

The bot then downloads an executable file, initially called "exe.exe" and renamed something like a  "Java Update" or "Flash Update" which is usually dropped in \appdata\temp or some place like that. This file often shows as some FakeAV in many anti-virus however, it never does any ransom-ware/scare-ware that you might expect from a Fake AV trojan. The running process will usually be named something like "Windows Defender".

The executable is downloaded from a domain that changes every couple days at least, with a GET url that also changes every day or so. Examples (spaces added):

31 Dec 2913 - pap-tech.com/media/video/
12 Jan 2014 - news-online24.com/libs0.19/jquery/
14 Jan 2014 - engl-evaline.com/libs1.19/jquery
16 Jan 2014 - sugar-freez.com/libs9.81/jquery/
19 Jan 2014 - king-orbit.com/libs/12.21/jquery/
21 Jan 2014 - message-tvit.com/libs19.57/jquery/
28 Jan 2014 - bee-smoka.com/libs29.89/jquery/
31 Jan 2014 - vespula-grants.com/libs37.64/jquery/
03 Feb 2014 - want-giftmore.com/libs41.898/jquery/
05 Feb 2014 - hoegarden-beer.com/lib2.395/jquery/
19 Feb 2014 - gorilla-w-glass.com//libs89/jquery/
20 Feb 2014 - 212-lithium.com/libq3/jquery/

Windows 7 will ask for allow/deny for a fake Java or Flash update. Allowing the execution will cause a reboot and the ad-bot can continue. Windows XP will just reboot and keep going.

All these domains were registered under hosthost.biz (aka noc.su). The IP addresses were all around:

109.163.239.243  Saulhost / Voxility 
109.163.239.226 Saulhost / Voxility
109.163.239.240 Saulhost / Voxility

Those are all either Russia, Latvia, or Romania depending on which ip-geo you believe.

Next-level check-in and a tight leash.

The bot will have an ongoing exchange with several domains, using an Asprox-style HTTP POST with encrypted data back-and-forths.

The domains include:

kar-gen-pl1.net
presto-uniel.com
cioco-froll.com

Some of the IP addresses these domains have pointed to include:

79.165.232.233	RUSSIAN FEDERATION
88.119.138.240 LITHUANIA
77.123.7.73 UKRAINE
188.0.143.112 UKRAINE
46.211.218.127 UKRAINE
176.8.136.212 UKRAINE
178.137.8.215 UKRAINE
77.121.41.163 UKRAINE
109.120.15.198 RUSSIAN FEDERATION
85.234.169.217 LATVIA
89.252.9.160 UKRAINE
79.111.92.215 RUSSIAN FEDERATION
91.105.48.209 LATVIA
188.254.235.254 BULGARIA
93.171.79.119 UKRAINE
176.194.202.124 RUSSIAN FEDERATION
178.160.160.217 ARMENIA
75.139.236.8 UNITED STATES

The URLs  take the form of /b/something/24-hexadecimal-chars like

/b/eve/D91AE031C618F3CAFB12AD9F
/b/opt/81231CB7A8A58E2E32993FCE
/b/req/91FDDB836AC788EB164A9E34
/b/letr/22EFC6DFA0C289594A1E3D69

The /b/eve GET will elicit an html "Hi!" response. The others will POST and reply with encrypted data of various lengths.

A bot checking in with /b/eve and getting hi! response.

These communications will happen periodically as long as the bot is running, and may use any of the domains interchangeably.

Picture of bot checking in with /b/opt and POST encrypted data.

What are they talking about? Probably exchanging lolcats.

Download another binary file

From the same host where the bot downloaded the "exe.exe" file, the bot will get soft32.dll or soft64.dll depending on the architecture of Windows, 32 or 64 bit. These files look like encrypted binary files, and have no interesting "strings" from the outside. I suppose the exe contains the logic to make use of this "dll" file.

The dll URL isn't as fancy as the exe URL:

28 Jan 2014 - bee-smoka.com/soft32.dll or/soft64.dll
31 Jan 2014 - vespula-grants.com/soft32.dll or/soft64.dll
03 Feb 2014 - want-giftmore.com/soft32.dll or/soft64.dll
05 Feb 2014 - hoegarden-beer.com/r/soft32.dll or/r/soft64.dll
19 Feb 2014 - gorilla-w-glass.com/l67/soft32.dll or something else

The /r/ part started showing up on 5 February 2014. Then around mid February 2014, the url started getting kind-of randomized. I think the 64-bit "dll" file might have gone away also.

Finally, time to DO WORK! - Fake "Search" Sites

Now that all the setup is done, finally some the ad fraud stuff!

The bot will start by visiting a series of totally bullshit "search" websites so that a PPC network can have traffic "referred" to it from something. I'm not sure WHY the bot visits these sites, as the "referer" header can just be used without actually going there, but the bots DO go there. These sites don't actually have links going to the PPC networks, nor to other sites, nor do they have functional "search" capabilities.

Picture of an example fake ppc start point used for asprox botnet ad fraud.

Most of these domains were registered under the registrar company "Public Domain Registry" up till the end of January 2014. A series of domain suspensions  lead to most of the domains now being registered under... guess? hosthost.biz (aka noc.su)!

I've counted roughly 75 domain names (some good ones too!) from December 2013 to February 6 2014. About half were suspended before the switch from PDF to hosthost.biz. Domains include:

art-gallery-new.com
betafindgoeasy.net
bubba-traff.com
coopon-search.com
ecig-search.net
find-a-goodway.com
find-the-goodway.com
findagoodway.com
finsear-teln.com
forage-for-penguins.com <-- my personal favorite
good-musical-service.com
red-search2014.com
start-search2014.com
petr-search-hp.com
vapor-sarch.com
olympic-search.com <-- HTF did THAT happen?
gp-search2014.com
paralimp-search.com
channel-search2014.com

Again, they pretty much all point to or around Voxility / Saulhost in Russia / Latvia / Romania

109.163.239.243
109.163.239.226
109.163.239.240

I suppose a bot visiting the site tells the bot that the domain in still valid and thus it can be used for a referer down the PPC or affiliate chain.

Down the PPC or affiliate chain

Next, the bot will visit some site that I like to call the PPC director or PPC router. It takes an HTTP GET request that has a certain referer and hands back a 302 redirect to the appropriate (or chosen?) PPC or affiliate network.

Picture of general idea of ppc or affiliate director in action, not to scale.

"Oh, BS website 32? Ok, let me send you to Possibly-Shady PPC company 85", said great-get-bbl.com

Picture of great-get-bbl routing various crappy referers to various ppc and affiliate networks.

Some of the domains and IPs for the routing site include:

regir-clk.com		37.221.168.34	saulhost / voxility    Germany
eleah-bbc.com 37.221.168.34 saulhost / voxility Germany
great-get-bbl.com 37.221.168.34 saulhost / voxility Germany
tor-host.com 37.221.168.50 saulhost / voxility Germany

 You'd think someone would talk to saulhost about this. The bot will launch 5 to 10 "threads" (my term) of traffic that take the fake search site referer through the director, and on down the PPC chain to the ad-serving sites. After the batch of threads finishes, the bot starts over with another batch.

The PPC / Affiliate stuff

Once the "thread" hits the PPC / Affiliate mess, it becomes hard to tell where the criminals end and the legit companies begin. Most of these servers have no publicly-facing company to talk to about the IP addresses. Some of them do. Some are thankful for the data when they get it, others ignore it. I consider these to be "various levels of shady and legit". However, I don't think these are in the same boat as the fake search sites or the director site.

Picture of ppc chain taking threads to ad sites.

Some of these PPC / Affiliate hosts include:

5.149.251.50
74.50.103.15
74.50.103.87
184.107.129.74
74.50.103.88
216.172.63.115
diprotector.com
sindelclick.com
204.27.56.91
clickga.com

Following the "thread" through the PPC / Affiliate chain can be a mixed bag of difficulty. Some of these companies use 302 redirects to get traffic to other companies, then to final sites. Some use Javascript redirects. Some involve 3 or more hops before getting to the ad-serving page. This is all up to the PPC / Affiliate companies and how they do their technology.

An example of an easy one to follow, this one goes:  director --302-> ppc net --302-> ad site :

Picture of network traffic capture that is easy to follow to ad-serving site.

Because this PPC / Affiliate company uses 302 redirects and preserves the referer, it is easy to find out what ad serving site the bot went to. It is also easy for someone to tell the PPC network what referers are bots, and which affiliates are sending bots.

In the cases where a network uses javascript or some other way to redirect, you have to do a lot of follow tcp stream and sometimes saving out the HTTP objects to examine where the bot went next.

Additionally, these networks may be members of other networks, creating several levels of redirection of different types before a "thread" gets to an ad-serving site.

Advertising-serving sites

Each "thread" that starts with a fake search site will terminate either at an ad-serving site, some PPC company's honeypot, or simply be dropped before getting that far. Most of the threads in a batch will make it to some website serving ads.

Picture of traffic capture of an asprox bot visiting sites with ads.

When you see a lot of traffic like doubleclick, bidsystem, rfihub, adexchange, rubiconproject, lijit, pubatic, and other ad companies, those are all the ads being loaded.

A few ad-serving sites I see a lot:

videofactor.com
bestmomstv.com <--someone told me mom-themed sites were common in the ad fraud game.
smartmomstyle.com
unlimiclick.com
hgdiy.com
sportsfascination.com
blinkx.com
travelfreak.com

Even without clicking ads, someone has paid for the ad impression at this point. Another aspect to consider is that the site owners may be victims if they are paying for traffic or SEO results.

What about the clicks? Everyone calls it click fraud!

Unless you have visibility on the traffic and data inside the ad companies, it will be hard to distinguish clicks from all the other crazy Lumascape (et al) traffic you see. A page filled with ads will generate a lot of ad traffic. Most clicks are just HTTP GETs or POSTs with lots of data for validation... which looks a lot like all the other ad traffic.

Often, though, you will find a site in your data that doesn't serve any ads. In this example, I found that my bot had visited broadviewuniversity.edu, to a page for requesting info on their business program.

Picture of bot going to college.

In these cases, you kind-of have to work backwards. Follow TCP Stream to figure out how you got there.

Picture of how bot got to broadviewuniversity from jobsense.

So the bot came from jobsense.com...

Picture of network traffic showing the asprox bot going from jobsense to broadviewuniversity thru an msn ad.

...because of a click on an ad from the MSN ad network. You can even see that the jobsense.com "thread" started with local-search.biz, one of the fake "search" websites.

So there you have it.

This article has explained in general terms how the Asprox botnet conducts ad fraud. This may consist of PPC or referral fraud, impression laundering, and click-fraud. It may also include SEO fraud, but none of the ad-serving site owners would respond to my questions so I have no data on that.

This shows the general flow and can help you all recognize what is happening at a glance. Which beats doing "follow TCP stream" one stream at a time for 1000 streams (which I did the first time).

More information on the Asprox Botnet.

Some very good work has been done on this topic, by people far smarter people than I.

Herrcore, pretty much a total badass, wrote this on the Kuluoz / Dofoil trojan and Asprox.

Kimberly, who I still suspect is Russian Mafia, has been working on Asprox too.

Rebus Snippets / Michal Ambroz saved my life one day with his Asprox Malware As A Service article.