Today’s blog is a fun story of how Umbrella Security Lab researchers uncovered a massive rogue PC fix campaign, relying on both algorithmic big data crunching models, sandboxing and field investigations (including an anonymous phone call to the rogue PC fix service under a customer name of  Virgilio Calabrese).

The storyline

As Umbrella Security Lab often demos, patterns emerge when you possess the right data and weave them altogether. This can be done despite attackers’ efforts to randomize traffic, injecting noises to hide their traces with all kinds of creative tricks. Since last week, we start spotting a large number of domains that were picked up by one of our analytical models – CRANK. These domains all showed very similar low crank scores. The crank model relies on DNS requesting behavior, and a crank score derives from co-occurrence patterns among domains. The biggest pattern indicator is when two domains co-occur, meaning that a statistically significant number of clients have requested both domains consecutively within a small time frame. If a domain co-occurred with one or more known malicious domain in the examined time frame, it will receive a lower crank score than the ones that never co-occurred with known malicious domains. 

For this report, the examined set of domain names appeared to be DGA (domain generating algorithm) names. At the time of discovery (a week ago from this report), the Umbrella Security team found nothing about the legitimacy of these domains online. This indicated that something is definitely not right, and we therefore started to find out the domains’ true nature.

At first sight, the domains seem to be parked pages, but if we access them using specific user agents and without initial cookies, we are dragged into a redirection chain that leads to the attempted dropping of a variety of suspicious executables (in one visit it was a fake Chrome updater)

Screen Shot 2013-07-05 at 8.18.09 PM

 After the first visit, this is what the parking page looks like:

kugmoqwozdat.com

Here is one of the redirections chain we observed:

– hxxp://sozvigupvuxs.com – The landing page, loading a frame on the same domain. This frame returns either a redirection to hxxp://OTNNetwork.net, or, if a specific cookie is found, the parking page.

– hxxp://OTTNetwork.net then serves some javascript redirecting to hxxp://98795.acrosslookup.com

– hxxp://98795.accesslookup.com is abused for click fraud, redirecting to hxxp://ck.ads.affinity.com

– hxxp://ck.ads.affinity.com redirects to the target of the fake click, hxxp://o800.info

– hxxp://0800.info shows a fake site with some basic javascript code performing browser detection in order to display a relevant “your browser is outdated” page, and then redirects to hxxp://secure.oi-installer9.com

– hxxp://secure.oi-installer9.com serves Windows executable file with different names (e.g. Internet_Explorer_Setup.exe) according to the client browser.

 

Right after having downloaded and installed the “updated Chrome version”, a popup asked us to “scan and fix  Windows XP errors”.

  Screen Shot 2013-06-28 at 4.50.21 PM

 

The number of DNS queries we are seeing for the domain name serving this file is fairly high. We blocked it in order to protect our customers.

Screen Shot 2013-07-08 at 3.04.54 PM

Launching the product was the beginning of the end.

A fake antivirus (“PC Health Boost”) found 96 errors, and 37 more that required a paid version in order to be fixed. Other popups told us to download and install yet another fake antivirus (a fake version of F-Prot). And yet another one (“Malware Striker”, similar to the first one, just with a different skin). Then, a fake video player (“FLV Mplayer”) and so on an so forth.

Not to mention that Chrome had new extensions and toolbars, and a new default search engine.

Screen Shot 2013-06-28 at 4.47.00 PM 

Screen Shot 2013-06-28 at 4.46.13 PM

Restarting the browser showed that it was spawning a background process on startup, presumably a keylogger or a banking trojan.

Screen Shot 2013-06-28 at 4.49.30 PM

The phone call

After the installation of the executable, several pop-ups offering 24×7 PC help would appear on the screen. We called an 800 number that showed up on one of the pop-ups and pretended to be a not too savvy PC user named Virgilio Calabrese, who needed help because his laptop was slow and was showing a lot of annoying pop-ups.

We got a male voice on the other end of the line–let’s call him “Tom”–who claimed to be from Microsoft. During the conversation, Tom tried to have us check a few things to figure out the problem, but we told him, we really didn’t know what was going on, so Tom then asked us to go to support.me which then leads to https://secure.logmeinrescue.com/Customer/Code.aspx.

Screen Shot 2013-06-28 at 5.18.52 PM

LogMeIn Rescue is in fact a legit product used by IT helpdesks and call centers to provide instant remote support to customers and employees. Tom then provided a code needed to enter the logmeinrescue session, which granted him remote access to our laptop.

We had a Windows XP VM running on our lab laptop, and after Tom gained access to the VM, we witnessed him running a few checks remotely on our laptop. We pretended to be worried and told Tom we were not comfortable with him manipulating our machine remotely. At this, he reassured us that he was from Microsoft, and that he was not the problem, but our PC saving grace. He insisted he was here trying to help and that we should trust him. At this point, we hung up.

Tom persistently called back. After a few more interactions, we decided to end the call for good and cut the connection.

A look into the traffic of these domains

Here are some of the domains we discovered:

sozvigupvuxs.com
mahakixiq.com
kugmoqwozdat.com
heivoveobi.com
goqwodilde.com
dugicqokila.com
xuhojihux.com
tugheawixe.com
sozvigupvuxs.com
ratvuxmozf.com
pozgafmanmoz.com
mahakixiq.com
kugmoqwozdat.com
joztupilma.com
jeopozmuj.com
huxbeinafdun.com
hokbozjeob.com
heivoveobi.com
goqwodilde.com
dugicqokila.com
dadosukoqhi.com
ceixafjeo.com
biltoqdaffih.com
bajupvoktos.com
xugjiweiru.com
julucicjija.com
goqcanwoqb.com
vealiciluxr.com
varaqipeavi.com
mozdilpanl.com
heivageamo.com
feiluheagear.com
fanxafdatrir.com
deacogeaw.com
datsicrucoso.com
cuvibokmu.com
xobocodon.com
kirneodoqu.com
jujigafhoka.com
jixeijeog.com
hoknafgoca.com

We also discovered a couple thousand more domains clustered to two IP netblocks. 

vigillio-maltego

208.73.208 69.43.161 

(The clustering graph shows some outliers that were also picked up by our algorithms but not mapped to the same IP netblocks. They are eliminated from the above analysis.)

Taking a sample of these domains, we found that they were all registered May 19 or May 26, 2013. Looking at the traffic to these domains, we found that it had been periodic for a couple weeks, then it dropped about five days ago, which suggests some sort of “spam campaign” that used those domains.

The campaign would have been meant to lead users to inadvertently visit the domains, go through the redirection chain and get the suspicious executable installed. To check this theory, we collected the client IPs that looked up some of the domains for a day, and we found that a lot of the IPs map to mail servers or DNS resolvers. These mail servers and DNS resolvers are most likely configured to use OpenDNS as they contacted our resolvers to look the suspicious domains up before relaying spam or before human users can visit the sites through their browser.

On another note, several of these domains like jixeijeog[.] com were also reported in the network traffic of PushDo trojan samples (look for the domain in the Behavioral information tab of the virustotal report). PushDo is known as a “downloader” trojan, which means its real purpose is to download and install malicious software. These domains are acting as either a rogue software campaign through the browser or as a CnC for already installed PushDo samples attempting to download more malware on the infected host.

 

This post is categorized in: