A Cybercrime Hub

Trend Micro, Incorporated

Trend Micro Threat Research

A Trend Micro White Paper I August 2009

A Cybercrime Hub

TABLE OF CONTENTS
INTRODUCTION....................................................................................................................................................3
THE CYBERCRIME COMPANY............................................................................................................................4
ROGUE DNS SERVERS........................................................................................................................................5
INTRANET OF CYBERCRIME...............................................................................................................................6
NETWORK OF SOCKS4 PROXIES.......................................................................................................................7
REPLACING ADS..................................................................................................................................................8
HIJACKING GOOGLE SEARCH QUERIES..........................................................................................................10
PUSHING ROGUE ANTIVIRUS.............................................................................................................................12
CONCLUSION........................................................................................................................................................14

2 WHITE PAPER | A CYBERCRIME HUB

A Cybercrime Hub

INTRODUCTION
Tartu, Estonia is the hometown of an Internet company that, from the outside, looks just like any other legitimate Internet
service provider (ISP). On its website (see Figure 1), the company lists services such as hosting and advertising. According to publicly available information, it posted more than US$5 million in revenue and had more than 50 employees
in 2007.

Figure 1. The corporate website of the Estonian company

In reality, however, this company has been

serving as the operational headquarters of
a large cybercrime network since 2005. Its
employees administer sites that host codec
Trojans and command and control (C&C)
servers that steer armies of infected computers from its office in Tartu. The criminal
outfit uses a lot of daughter companies that
operate in Europe and in the United States.
These daughter companies names quickly
get the heat when they become involved
in Internet abuse and other cybercrimes.
They disappear after getting bad publicity
or when upstream providers terminate their
contracts. This does not cause much harm
to the operation as a whole, however, as the
same cybercriminal just continues its business under a new name. In fact, constantly
changing names is part of the companys
business model with a few constants, one of
which is the mother company in Tartu.

Although explicit evidence exists

that the Estonian company is heavily involved in cybercrime, the company could also be just another faade of a bigger cybercriminal gang
whose investors reside in another
country like Russia or the United
States. In fact, it is not at all unlikely
that foreign criminal investors put
their money into the Estonian company so they do not have to do the
dirty work themselves.
This paper provides detailed data
on some of the cybercrimes that
this Estonian company has been involved with. It also provides advertising fraud statistics committed on
legitimate websites. Furthermore,
it explains the backend structure of
Figure 2. The corporate website of one of the Estonian companys many daughter companies
fraud with Google search queries
and shows that around 100,000
unique Internet users per day get a bogus message saying, You are infected with a virus, please download this piece
of free antivirus software, whenever they attempt to access high-traffic pornography websites. Finally, it also briefly
discusses the internal network of the Estonian company, which shows how all of its activities relate to one another.

3 WHITE PAPER | A CYBERCRIME HUB

A Cybercrime Hub

THE CYBERCRIME COMPANY

The director of the Estonian company has been convicted for credit card fraud
but he was still able to build a network of companies in Europe and in the United
States. His companies continue to offer the following services:

Web hosting

Advertising

Internet traffic distribution

Pay-per-click (PPC) advertising

Parking domain site hosting

The director of the Estonian

company has been convicted
for credit card fraud but he was
still able to build a network of
companies in Europe and in the
United States.

All of the above-mentioned activities are part of the same criminal operation. At
present, the company owns a few networks in the United States and leases or
owns servers in numerous datacenters around the world. Spreading its activities over several datacenters lowers the
risk that it will suddenly go out of business when upstream providers terminate their services. This is exactly what happened in Fall 2008 when the Internet connectivity in its datacenter in San Francisco was terminated. This caused serious problems for the business but was quickly averted by moving to other datacenters.
A lot of the companys employees seem to be young students who are somewhere in their 20s and live in the Tartu area
in Estonia. A few of them have acted as spokesmen for the company, flatly denying serious allegations made against
it such as that on the site of Washington Post blogger, Brian Krebs. These spokesmen must be fully aware of what the
company is doing while some of the other employees may not completely realize the implications of the work they do.
Some of them do not hesitate to make their identities and their activities known. For instance, a Web developer who
joined the company in 2008 proudly published a portfolio containing sites that he developed during his employ. This is
a natural thing to do for a Web developer. In this case, however, his portfolio consisted not only of corporate websites
but also of websites that have been used to lure Internet users to install Trojans that posed as helpful software such as
video codecs and file compression software.

4 WHITE PAPER | A CYBERCRIME HUB

A Cybercrime Hub

ROGUE DNS SERVERS

One of the Estonian companys biggest assets is a set of hundreds of rogue Domain Name System (DNS) servers that
have been active since 2005. These DNS servers look like ordinary recursive DNS servers. The only difference being
they resolve thousands of domain names to foreign malicious IP addresses instead of actual legitimate IP addresses.
DNS changer Trojans silently change the settings of victims computers to point to a foreign, rogue DNS server. Their
victims are therefore put at great risk, as they can be redirected to any site every time they browse the Internet. They
thus become vulnerable to malicious websites and spoofed sites and may become unwitting participants in a largescale click fraud scheme.

It appears that the Estonian

company controls every step
between driving traffic to sites
with DNS changer Trojans to
maintaining rogue DNS servers.
It also appears to maintain the
foreign malicious IP addresses to
which its victims are redirected
to when they attempt to access a
site such as Google.

5 WHITE PAPER | A CYBERCRIME HUB

The rogue DNS servers have been active since 2005, with high-quality Internet
connectivity in datacenters on the East and West coasts of the United States.
Its pool of victims is still aggressively expanding today with the aid of advanced
social engineering tactics.
It appears that the Estonian company controls every step between driving traffic to sites with DNS changer Trojans to maintaining rogue DNS servers. It also
appears to maintain the foreign malicious IP addresses to which its victims are
redirected to whenever they attempt to access a legitimate site such as Google.

A Cybercrime Hub

INTRANET OF CYBERCRIME
The Estonian company appears to be using a network comprising around 280 domain names ending with .intra for its
server network. Using .intra domain names for internal servers seems to be a convenient way to automate tasks and to
quickly move servers to different locations without the need to change written code.
The 280 .intra domain names clearly indicate that one gang is maintaining and deploying the vast network of backend
website servers that host codec Trojans, websites that drive traffic to these codec sites, servers that host the C&C servers of the codec Trojans, and servers that host the click fraud-related components of the Trojans.
portal2.intra

86400

IN

93.190.x.x

codecsoft3.intra

86400

IN

213.163.x.x

metaparser.intra

86400

IN

67.210.x.x

adsclick.intra

86400

IN

174.142.x.x

pharma1.intra

86400

IN

87.118.x.x

tds.intra

86400

IN

64.86.x.x

The table above shows the DNS resolutions of some of the private .intra domain names of the Estonian companys
intranet. The following illustrates how backend servers are involved in one particular Trojan infection that occurs when
an Internet user visits a website such as vivalatube.com:

vivalatube.com is hosted on a backend server called portal2.intra.

portal2.intra hosts pornography portal websites like vivalatube.com and drives traffic to examplefooter.com.

examplefooter.com hosts a codec Trojan that is supposedly needed to view special video content but is actually a
DNS changer. examplefooter.com is hosted on a backend server called codecsoft3.intra. The codec part in codecsoft3.intra is not a coincidence.

An infected user is redirected to foreign sites by the Traffic Distribution System at the tds.intra domain (IP address:
64.86.x.x).

The infected user sees pharmaceutical ads instead of legitimate ones on many websites he/she is visiting.

The ads redirect the user to the pharma1.intra domain (IP address: 87.118.x.x), which advertises Vimax pills.

The users Google toolbar requests get hijacked by the adsclick.intra domain (IP address: 174.142.x.x).

The backend server, metaparser.intra, determines which ads the user will see in place of the Google ads.

There are several other similar examples that suggest a single company controlling the portals and infection mechanisms involved. One company is behind the pornography sites riddled with Trojan codecs, the C&C servers that are
contacted when victims get infected and those used to steal personal information, and the fraudulent ads: everything
from the initial infection to exploiting infected hosts.
Until Fall 2008, the Estonian company was an Internet Corporation for Assigned Names and Numbers (ICANN)-accredited domain name registrar. Then the cybercriminal gang controlled yet one more step in cybercrimeanonymous
domain registration. People who complained about domain names like vivalatube.com around that time by contacting
the Web registrar or the Web hosting company were in fact sending their complaints to the cybercriminal gang itself.
In November 2008, ICANN revoked the companys accreditation, as the association became aware that the company
owner was convicted for credit card fraud.

6 WHITE PAPER | A CYBERCRIME HUB

A Cybercrime Hub

NETWORK OF SOCKS4 PROXIES

The Estonian company appears to have an extensive network of more than 450
Socks4 proxies hosted on dedicated servers in at least 15 different networks
around the world. The internal backend servers of the cybercriminals use these
proxies to commit fraud with legitimate search engines. For instance, the Google
search queries of DNS changer Trojan victims are relayed via backend servers
through proxies to Googles real servers. This enables the company to show real
Google search queries to victims and also to hijack search results. The large number of proxies (more than 400) spread the load so that Google does not notice
the fraud.

The .intra zone file reflects a network of proxies such as:

gfeedproxy5.intra

The Estonian company appears

to have an extensive network of
more than 450 Socks4 proxies
hosted on dedicated servers in
at least 15 different networks
around the world.

86400

IN

72.233.x.x

gfeedproxy5.intra serves as an intermediary hop for proxying Google search queries to Googles real servers.

7 WHITE PAPER | A CYBERCRIME HUB

A Cybercrime Hub

REPLACING ADS
Figure 3 shows the CNN website as
seen by an infected user (on January 5, 2009, Monday). Everything
on it looks normal, except perhaps
for the Vimax pills ad. The nature
of this ad makes it somewhat unusual that it is being displayed on a
mainstream news website. In fact,
the Vimax pills ad is not what CNN
intended to show to its visitors (see
Figure 4). The ad should instead
show a car for sale.
The Vimax pills ad was inserted by
a foreign party who uses DNS tricks
to replace legitimate ads with its
own ones, committing click fraud.
Only Trojan-infected Internet users,
however, will see other ads than
those originally intended. Those
who are not will just see the websites as they were designed.
Figure 3. CNN as seen by a DNS changer victim

servers outside its network such

as the servers of ad agencies like
Double Click or Yieldmanager.
com. The ads that appear on victims systems, however, are loaded
from foreign servers apart from
Double Click or Yieldmanager.com
instead. The most prevalent Trojans
involved here are DNS changer Trojans, which silently modify the DNS
settings of victims systems to point
to foreign IP addresses.

So, how does this fraudulent advertising scheme work? When an

Internet user visits a website like
CNN, the ads on it are loaded from

We found several servers involved

in a setup administered by the Estonian company in question. One of
the servers in it contained numerous banner ads of varied sizes featuring different campaigns, including the Vimax ads. These banner
ads are meant to replace those from
ad companies such as Double Click
on legitimate websites as shown in
Figure 3 above.
Figure 4. CNN as seen by an unaffected user

8 WHITE PAPER | A CYBERCRIME HUB

A Cybercrime Hub

Another server hosted spoofed versions of the legitimate websites of ad companies such as ad.yieldmanager.com on
Yahoo! These spoofed sites contained scripts that parse ad URLs. For example, the scripts determine the size of the
banners that should be embedded in legitimate websites so that the foreign ads can seamlessly replace actual ones.
The layout of the site will look the same.

The data gathered from the said

servers made it possible to indirectly
determine how many ads are actually replaced by Vimax banners per
day. Note, however, that the figures
presented are just a fraction of the
actual number of ads that are replaced every day (see Figure 5).
For instance, we know that Double
Click ads are replaced by text-based
ones, too, which are not counted in
the statistics used.
Figure 5. Number of legitimate ads replaced by Vimax ads

When a victim clicks a Vimax ad, he/she is redirected to a pharmaceutical website. It was not surprising to find that this
website had its own backend server in the companys .intra network with the following DNS resolution:
pharma1.intra

86400

IN

87.118.x.x

Using the internal name, as mentioned earlier, makes scripting and monitoring more convenient for these cybercriminals.

9 WHITE PAPER | A CYBERCRIME HUB

A Cybercrime Hub

HIJACKING GOOGLE SEARCH QUERIES

The same Estonian company has also been found to hijack Google search queries. In this case, DNS changer Trojan
victims unknowingly connect to a spoofed Google site when they perform a search query. When they click a Google
search result, they are redirected to a different site than what the search should actually show. Traffic from Google thus
gets stolen. This type of scheme primarily targets the google.co.uk, google.com.au, google.ca, google.de, google.es,
google.fr, and google.it sites. Other major search engines like Yahoo! and Microsofts bing.com are targeted as well.

Figure 6. How the Estonian company hijacks Google search queries

To successfully hijack Google search queries using DNS changer Trojans, victims actual Google search queries have
to be relayed from a spoofed site to the real one. This allows cybercriminals to display real Google search results on
victims browsers. It appears that the Estonian company is relaying the Google search queries of DNS changer Trojan
victims through its network, which comprises more than 400 proxies. These proxies spread the load over different IP
addresses so Google does not notice the illegal activity. We believe all of these proxies do not belong to compromised
hosts, however, but to dedicated servers in datacenters owned or leased by the Estonian company.
Apart from relaying victims search queries through the above-mentioned proxies, the said company also caches old
search results so that only unique ones need to be relayed to Google. These cache servers are located on the following
internal .intra servers as well:
gcache1.intra

86400

IN

69.31.x.x

gcache2.intra

86400

IN

67.210.x.x

10 WHITE PAPER | A CYBERCRIME HUB

A Cybercrime Hub

Figure 7 shows the number of

unique Google search queries that
the cybercriminal operation hijacks.
Note that their uniqueness lies in the
originality of the keywords used and
not on how many times they have
been used in previous queries.

Figure 7. Number of unique Google search queries hijacked per day

11 WHITE PAPER | A CYBERCRIME HUB

A Cybercrime Hub

PUSHING ROGUE ANTIVIRUS

When victims of DNS changer Trojans attempt to access high-traffic
pornography sites such as redtube.
com, they will receive a message
saying they cannot access the site
because they have been infected by
a virus that is currently attacking the
pornography site. They will then be
prompted to download software that
turns out to be fake antivirus (see Figure 8).
Detailed statistics (see Figure 9)
show that in July 2009, around
100,000 unique hosts visited the
spoofed pornography site per day. In
July 2009, we found that more than
1.8 million unique IP addresses visited the spoofed site and were, therefore, exposed to the bogus warning
in a language that depended on their
geographic location. This is an astonishingly high number because these
Internet users are already victims of
a DNS changer Trojan and they are
visiting specific porn sites.
Figure 8. Rogue version of the redtube.com porn site a DNS changer Trojan victim is
redirected to

warnings and installs the fake antivirus, he/she will actually install an
additional Trojan on his/her system.
The new Trojan frequently annoys
the user with warnings that he/she
is infected and needs to get a paid
subscription for the fake antivirus.
When the Internet user decides to
purchase one, he/she will be directed to a secure website (see Figure
10). We found that this billing website is controlled by the Estonian
company as well. This is reflected in
the .intra zone file of the company,
details on which are shown in the
following table:

In the unfortunate event that an internet user falls for the bogus virus

Figure 9. Number of unique IP addresses exposed to bogus virus alerts while visiting high-traffic
porn sites

billing.intra

86400

IN

64.28.x.x

billingproxy1.intra

86400

IN

78.159.x.x

billingproxy2.intra

86400

IN

88.198.x.x

12 WHITE PAPER | A CYBERCRIME HUB

A Cybercrime Hub

The locations of the internal domains billingproxy1.intra and billingproxy2.intra exactly match two
secure websites that are being used
for selling fake antivirus. Both servers are probably frontend proxies
for the actual billing server located
at 64.28.x.x (billing.intra).

Figure 10. Site where the fake antivirus (Winbluesoft) is sold

13 WHITE PAPER | A CYBERCRIME HUB

A Cybercrime Hub

CONCLUSION
This paper discussed some parts of a large ongoing cybercriminal operation that
dates back to at least 2005. An Estonian company is actively administering a
huge number of servers in numerous datacenters, which together form a network
to commit cybercrime. It appears that the company from Tartu, Estonia controls
everything from trying to lure Internet users to installing DNS changer Trojans by
promising them special video content, and finally to exploiting victims machines
for fraud with the help of ads and fake virus infection warnings. The company has
spread its assets over numerous Web hosting companies since they got disconnected from a San Francisco datacenter in 2008. Apparently, it learned its lesson
and decided to lower the risk of dropping off the Internet.

TREND MICRO

Trend Micro Incorporated is a pioneer in secure content and threat

management. Founded in 1988, Trend Micro provides individuals and
organizations of all sizes with award-winning security software, hardware and services. With headquarters in Tokyo and operations in
more than 30 countries, Trend Micro solutions are sold through corporate and value-added resellers and service providers worldwide.
For additional information and evaluation copies of Trend Micro products
and services, visit our Web site at www.trendmicro.com.

14 WHITE PAPER | A CYBERCRIME HUB

The Estonian company is actively

administering a huge number of
servers in numerous datacenters,
which together form a network
to commit cybercrime.

TREND MICRO INC.

10101 N. De Anza Blvd.
Cupertino, CA 95014
US toll free: 1 +800.228.5651
phone: 1 +408.257.1500
fax: 1 +408.257.2003
www.trendmicro.com

2009 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks
or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or
registered trademarks of their owners.