Today’s blog is a fun story of how Umbrella Security Lab researchers uncovered a massive rogue PC fix campaign, relying on both algorithmic big data crunching models, sandboxing and field investigations (including an anonymous phone call to the rogue PC fix service under a customer name of Virgilio Calabrese).
As Umbrella Security Lab often demos, patterns emerge when you possess the right data and weave them altogether. This can be done despite attackers’ efforts to randomize traffic, injecting noises to hide their traces with all kinds of creative tricks. Since last week, we start spotting a large number of domains that were picked up by one of our analytical models – CRANK. These domains all showed very similar low crank scores. The crank model relies on DNS requesting behavior, and a crank score derives from co-occurrence patterns among domains. The biggest pattern indicator is when two domains co-occur, meaning that a statistically significant number of clients have requested both domains consecutively within a small time frame. If a domain co-occurred with one or more known malicious domain in the examined time frame, it will receive a lower crank score than the ones that never co-occurred with known malicious domains.
For this report, the examined set of domain names appeared to be DGA (domain generating algorithm) names. At the time of discovery (a week ago from this report), the Umbrella Security team found nothing about the legitimacy of these domains online. This indicated that something is definitely not right, and we therefore started to find out the domains’ true nature.
At first sight, the domains seem to be parked pages, but if we access them using specific user agents and without initial cookies, we are dragged into a redirection chain that leads to the attempted dropping of a variety of suspicious executables (in one visit it was a fake Chrome updater)
After the first visit, this is what the parking page looks like:
Here is one of the redirections chain we observed:
– hxxp://sozvigupvuxs.com – The landing page, loading a frame on the same domain. This frame returns either a redirection to hxxp://OTNNetwork.net, or, if a specific cookie is found, the parking page.
– hxxp://98795.accesslookup.com is abused for click fraud, redirecting to hxxp://ck.ads.affinity.com
– hxxp://ck.ads.affinity.com redirects to the target of the fake click, hxxp://o800.info
– hxxp://secure.oi-installer9.com serves Windows executable file with different names (e.g. Internet_Explorer_Setup.exe) according to the client browser.
Right after having downloaded and installed the “updated Chrome version”, a popup asked us to “scan and fix Windows XP errors”.
The number of DNS queries we are seeing for the domain name serving this file is fairly high. We blocked it in order to protect our customers.
Launching the product was the beginning of the end.
A fake antivirus (“PC Health Boost”) found 96 errors, and 37 more that required a paid version in order to be fixed. Other popups told us to download and install yet another fake antivirus (a fake version of F-Prot). And yet another one (“Malware Striker”, similar to the first one, just with a different skin). Then, a fake video player (“FLV Mplayer”) and so on an so forth.
Not to mention that Chrome had new extensions and toolbars, and a new default search engine.
Restarting the browser showed that it was spawning a background process on startup, presumably a keylogger or a banking trojan.
The phone call
After the installation of the executable, several pop-ups offering 24×7 PC help would appear on the screen. We called an 800 number that showed up on one of the pop-ups and pretended to be a not too savvy PC user named Virgilio Calabrese, who needed help because his laptop was slow and was showing a lot of annoying pop-ups.
We got a male voice on the other end of the line–let’s call him “Tom”–who claimed to be from Microsoft. During the conversation, Tom tried to have us check a few things to figure out the problem, but we told him, we really didn’t know what was going on, so Tom then asked us to go to support.me which then leads to https://secure.logmeinrescue.com/Customer/Code.aspx.
LogMeIn Rescue is in fact a legit product used by IT helpdesks and call centers to provide instant remote support to customers and employees. Tom then provided a code needed to enter the logmeinrescue session, which granted him remote access to our laptop.
We had a Windows XP VM running on our lab laptop, and after Tom gained access to the VM, we witnessed him running a few checks remotely on our laptop. We pretended to be worried and told Tom we were not comfortable with him manipulating our machine remotely. At this, he reassured us that he was from Microsoft, and that he was not the problem, but our PC saving grace. He insisted he was here trying to help and that we should trust him. At this point, we hung up.
Tom persistently called back. After a few more interactions, we decided to end the call for good and cut the connection.
A look into the traffic of these domains
Here are some of the domains we discovered:
sozvigupvuxs.com mahakixiq.com kugmoqwozdat.com heivoveobi.com goqwodilde.com dugicqokila.com xuhojihux.com tugheawixe.com sozvigupvuxs.com ratvuxmozf.com pozgafmanmoz.com mahakixiq.com kugmoqwozdat.com joztupilma.com jeopozmuj.com huxbeinafdun.com hokbozjeob.com heivoveobi.com goqwodilde.com dugicqokila.com dadosukoqhi.com ceixafjeo.com biltoqdaffih.com bajupvoktos.com xugjiweiru.com julucicjija.com goqcanwoqb.com vealiciluxr.com varaqipeavi.com mozdilpanl.com heivageamo.com feiluheagear.com fanxafdatrir.com deacogeaw.com datsicrucoso.com cuvibokmu.com xobocodon.com kirneodoqu.com jujigafhoka.com jixeijeog.com hoknafgoca.com
We also discovered a couple thousand more domains clustered to two IP netblocks.
(The clustering graph shows some outliers that were also picked up by our algorithms but not mapped to the same IP netblocks. They are eliminated from the above analysis.)
Taking a sample of these domains, we found that they were all registered May 19 or May 26, 2013. Looking at the traffic to these domains, we found that it had been periodic for a couple weeks, then it dropped about five days ago, which suggests some sort of “spam campaign” that used those domains.
The campaign would have been meant to lead users to inadvertently visit the domains, go through the redirection chain and get the suspicious executable installed. To check this theory, we collected the client IPs that looked up some of the domains for a day, and we found that a lot of the IPs map to mail servers or DNS resolvers. These mail servers and DNS resolvers are most likely configured to use OpenDNS as they contacted our resolvers to look the suspicious domains up before relaying spam or before human users can visit the sites through their browser.
On another note, several of these domains like jixeijeog[.] com were also reported in the network traffic of PushDo trojan samples (look for the domain in the Behavioral information tab of the virustotal report). PushDo is known as a “downloader” trojan, which means its real purpose is to download and install malicious software. These domains are acting as either a rogue software campaign through the browser or as a CnC for already installed PushDo samples attempting to download more malware on the infected host.