A Cybercrime Hub
TABLE OF CONTENTS
INTRODUCTION....................................................................................................................................................3
THE CYBERCRIME COMPANY............................................................................................................................4
ROGUE DNS SERVERS........................................................................................................................................5
INTRANET OF CYBERCRIME...............................................................................................................................6
NETWORK OF SOCKS4 PROXIES.......................................................................................................................7
REPLACING ADS..................................................................................................................................................8
HIJACKING GOOGLE SEARCH QUERIES..........................................................................................................10
PUSHING ROGUE ANTIVIRUS.............................................................................................................................12
CONCLUSION........................................................................................................................................................14
A Cybercrime Hub
INTRODUCTION
Tartu, Estonia is the hometown of an Internet company that, from the outside, looks just like any other legitimate Internet
service provider (ISP). On its website (see Figure 1), the company lists services such as hosting and advertising. According to publicly available information, it posted more than US$5 million in revenue and had more than 50 employees
in 2007.
A Cybercrime Hub
Web hosting
Advertising
All of the above-mentioned activities are part of the same criminal operation. At
present, the company owns a few networks in the United States and leases or
owns servers in numerous datacenters around the world. Spreading its activities over several datacenters lowers the
risk that it will suddenly go out of business when upstream providers terminate their services. This is exactly what happened in Fall 2008 when the Internet connectivity in its datacenter in San Francisco was terminated. This caused serious problems for the business but was quickly averted by moving to other datacenters.
A lot of the companys employees seem to be young students who are somewhere in their 20s and live in the Tartu area
in Estonia. A few of them have acted as spokesmen for the company, flatly denying serious allegations made against
it such as that on the site of Washington Post blogger, Brian Krebs. These spokesmen must be fully aware of what the
company is doing while some of the other employees may not completely realize the implications of the work they do.
Some of them do not hesitate to make their identities and their activities known. For instance, a Web developer who
joined the company in 2008 proudly published a portfolio containing sites that he developed during his employ. This is
a natural thing to do for a Web developer. In this case, however, his portfolio consisted not only of corporate websites
but also of websites that have been used to lure Internet users to install Trojans that posed as helpful software such as
video codecs and file compression software.
A Cybercrime Hub
The rogue DNS servers have been active since 2005, with high-quality Internet
connectivity in datacenters on the East and West coasts of the United States.
Its pool of victims is still aggressively expanding today with the aid of advanced
social engineering tactics.
It appears that the Estonian company controls every step between driving traffic to sites with DNS changer Trojans to maintaining rogue DNS servers. It also
appears to maintain the foreign malicious IP addresses to which its victims are
redirected to whenever they attempt to access a legitimate site such as Google.
A Cybercrime Hub
INTRANET OF CYBERCRIME
The Estonian company appears to be using a network comprising around 280 domain names ending with .intra for its
server network. Using .intra domain names for internal servers seems to be a convenient way to automate tasks and to
quickly move servers to different locations without the need to change written code.
The 280 .intra domain names clearly indicate that one gang is maintaining and deploying the vast network of backend
website servers that host codec Trojans, websites that drive traffic to these codec sites, servers that host the C&C servers of the codec Trojans, and servers that host the click fraud-related components of the Trojans.
portal2.intra
86400
IN
93.190.x.x
codecsoft3.intra
86400
IN
213.163.x.x
metaparser.intra
86400
IN
67.210.x.x
adsclick.intra
86400
IN
174.142.x.x
pharma1.intra
86400
IN
87.118.x.x
tds.intra
86400
IN
64.86.x.x
The table above shows the DNS resolutions of some of the private .intra domain names of the Estonian companys
intranet. The following illustrates how backend servers are involved in one particular Trojan infection that occurs when
an Internet user visits a website such as vivalatube.com:
portal2.intra hosts pornography portal websites like vivalatube.com and drives traffic to examplefooter.com.
examplefooter.com hosts a codec Trojan that is supposedly needed to view special video content but is actually a
DNS changer. examplefooter.com is hosted on a backend server called codecsoft3.intra. The codec part in codecsoft3.intra is not a coincidence.
An infected user is redirected to foreign sites by the Traffic Distribution System at the tds.intra domain (IP address:
64.86.x.x).
The infected user sees pharmaceutical ads instead of legitimate ones on many websites he/she is visiting.
The ads redirect the user to the pharma1.intra domain (IP address: 87.118.x.x), which advertises Vimax pills.
The users Google toolbar requests get hijacked by the adsclick.intra domain (IP address: 174.142.x.x).
The backend server, metaparser.intra, determines which ads the user will see in place of the Google ads.
There are several other similar examples that suggest a single company controlling the portals and infection mechanisms involved. One company is behind the pornography sites riddled with Trojan codecs, the C&C servers that are
contacted when victims get infected and those used to steal personal information, and the fraudulent ads: everything
from the initial infection to exploiting infected hosts.
Until Fall 2008, the Estonian company was an Internet Corporation for Assigned Names and Numbers (ICANN)-accredited domain name registrar. Then the cybercriminal gang controlled yet one more step in cybercrimeanonymous
domain registration. People who complained about domain names like vivalatube.com around that time by contacting
the Web registrar or the Web hosting company were in fact sending their complaints to the cybercriminal gang itself.
In November 2008, ICANN revoked the companys accreditation, as the association became aware that the company
owner was convicted for credit card fraud.
A Cybercrime Hub
86400
IN
72.233.x.x
gfeedproxy5.intra serves as an intermediary hop for proxying Google search queries to Googles real servers.
A Cybercrime Hub
REPLACING ADS
Figure 3 shows the CNN website as
seen by an infected user (on January 5, 2009, Monday). Everything
on it looks normal, except perhaps
for the Vimax pills ad. The nature
of this ad makes it somewhat unusual that it is being displayed on a
mainstream news website. In fact,
the Vimax pills ad is not what CNN
intended to show to its visitors (see
Figure 4). The ad should instead
show a car for sale.
The Vimax pills ad was inserted by
a foreign party who uses DNS tricks
to replace legitimate ads with its
own ones, committing click fraud.
Only Trojan-infected Internet users,
however, will see other ads than
those originally intended. Those
who are not will just see the websites as they were designed.
Figure 3. CNN as seen by a DNS changer victim
A Cybercrime Hub
Another server hosted spoofed versions of the legitimate websites of ad companies such as ad.yieldmanager.com on
Yahoo! These spoofed sites contained scripts that parse ad URLs. For example, the scripts determine the size of the
banners that should be embedded in legitimate websites so that the foreign ads can seamlessly replace actual ones.
The layout of the site will look the same.
When a victim clicks a Vimax ad, he/she is redirected to a pharmaceutical website. It was not surprising to find that this
website had its own backend server in the companys .intra network with the following DNS resolution:
pharma1.intra
86400
IN
87.118.x.x
Using the internal name, as mentioned earlier, makes scripting and monitoring more convenient for these cybercriminals.
A Cybercrime Hub
To successfully hijack Google search queries using DNS changer Trojans, victims actual Google search queries have
to be relayed from a spoofed site to the real one. This allows cybercriminals to display real Google search results on
victims browsers. It appears that the Estonian company is relaying the Google search queries of DNS changer Trojan
victims through its network, which comprises more than 400 proxies. These proxies spread the load over different IP
addresses so Google does not notice the illegal activity. We believe all of these proxies do not belong to compromised
hosts, however, but to dedicated servers in datacenters owned or leased by the Estonian company.
Apart from relaying victims search queries through the above-mentioned proxies, the said company also caches old
search results so that only unique ones need to be relayed to Google. These cache servers are located on the following
internal .intra servers as well:
gcache1.intra
86400
IN
69.31.x.x
gcache2.intra
86400
IN
67.210.x.x
A Cybercrime Hub
A Cybercrime Hub
warnings and installs the fake antivirus, he/she will actually install an
additional Trojan on his/her system.
The new Trojan frequently annoys
the user with warnings that he/she
is infected and needs to get a paid
subscription for the fake antivirus.
When the Internet user decides to
purchase one, he/she will be directed to a secure website (see Figure
10). We found that this billing website is controlled by the Estonian
company as well. This is reflected in
the .intra zone file of the company,
details on which are shown in the
following table:
In the unfortunate event that an internet user falls for the bogus virus
Figure 9. Number of unique IP addresses exposed to bogus virus alerts while visiting high-traffic
porn sites
billing.intra
86400
IN
64.28.x.x
billingproxy1.intra
86400
IN
78.159.x.x
billingproxy2.intra
86400
IN
88.198.x.x
A Cybercrime Hub
The locations of the internal domains billingproxy1.intra and billingproxy2.intra exactly match two
secure websites that are being used
for selling fake antivirus. Both servers are probably frontend proxies
for the actual billing server located
at 64.28.x.x (billing.intra).
A Cybercrime Hub
CONCLUSION
This paper discussed some parts of a large ongoing cybercriminal operation that
dates back to at least 2005. An Estonian company is actively administering a
huge number of servers in numerous datacenters, which together form a network
to commit cybercrime. It appears that the company from Tartu, Estonia controls
everything from trying to lure Internet users to installing DNS changer Trojans by
promising them special video content, and finally to exploiting victims machines
for fraud with the help of ads and fake virus infection warnings. The company has
spread its assets over numerous Web hosting companies since they got disconnected from a San Francisco datacenter in 2008. Apparently, it learned its lesson
and decided to lower the risk of dropping off the Internet.
TREND MICRO
2009 by Trend Micro, Incorporated. All rights reserved. Trend Micro, the Trend Micro t-ball logo are trademarks
or registered trademarks of Trend Micro, Incorporated. All other product or company names may be trademarks or
registered trademarks of their owners.