Thursday, May 30, 2013

Errorists' Empire - Exploring Typo Networks

Have you ever mistyped a web-address? Of course you have and you are not alone. Every day a vast amount of web requests are sent to typo addresses - close cousins of normal major web-site save for one or two characters. When you consider the amount of traffic that typo-sites can receive it is easy to understand why these domains are so valuable. For years, "Typosquatters" have been reaping the value from bad typing using inventive means to generate revenue. 

However, what is interesting is that a significant number of typo-sites can be observed using identifical methods to mislead users into installing a common set of binaries onto PCs (more below). 

During this review, I found over 341 significant typo-sites using related tactics, hosting resources, and executables;  These sites included numerous typo variations that easily receive traffic for intended major sites like: Blogspot, Craigslist, Foxsports, Google, Gmail, Hotmail, Linkedin, Nationgeographic.com, Sourceforge.net, UN.org

A more comprehensive list of these typo-sites can be found on pastebin for those interested.

Looking at some of these address names, it doesn't take a great deal of imagination to realize that the operators behind this are delivering binaries to a large number of systems daily.  

This leads us to some interesting questions
  • What are the methods used by this group?
  • What is the monetization process driving these efforts?
  • What parties are involved in this activity?
To start our investigation, let's  take a look at what has to probably be one of the most successful typo sites of all time: GMAI.COM.

 Link Analysis (GMAI.COM)
Around 5/30/2013, if you happened to miss the "L" in GMAIL.com you'd start your way down a link-path that goes something like this:




 - To start off with, gmai.com -( 208.87.34.65 Securehost/Bahamas - virustotal) serves us a 302 redirection bounce in the initial HTTP response and we get passed to an interesting web-site "global-adsopt.com" (184.170.128.81 / Netelligent Canada) which provides persistent URL redirection/cloaking service:
 http://global-adsopt.com/?sov=gmai.com&

   Example of web-redirection service 
 (same services also found on geoparker.com // 128.204.198.87)
- This redirection service hands us a java-script redirect to:
 http://super-saving.glidehomes.com/sid=173652&hid=fphpfflxjtvhpn&&id=cGiveaways2
The super-saving.glidehomes.com site is on round-robin DNS with the IPs: 75.101.216.99 (Amazon EC2/US - urlquery, virustotal), 23.20.106.130 (Amazon EC2/US -  urlquery, virustotal), and 208.87.34.21 (Securehost/Bahamas . urlquery,virustotal) .

After reaching this final destination, the site gives us a nice warning and notice that we are required to upgrade to "Adobe Flash 11.0" to proceed. 

This page page also sports some noteworthy disclaimer language; the basic gist of this is that you are going to be provided with "customer installer" which is different from what you were likely expecting.

At this point, pretty much anything we click on here serves us up a binary; however the specific file we receive varies probably on factors like which server we hit and our user agent string.

 Since they very much want us to take these executables, let's do that and see what we can learn:

Binary Review
Listed below is information on three binaries that I obtained on different loads of the super-saving.glidehomes.com site: 

Binary Name
Analysis Links
Code - Signed
setup.exe
Air Software
mplayer_Setup.exe
Optimum Installer
“ExtremeFlashPlayer_Ytz Installer.exe”
Anubis
Malwr
Denco Ltd.

 Though these EXEs are served from different sites, they share a great deal in common:
  • Each is pushed via a Pay-Per-Install Provider framework (more on this below).
  • Only a handful of AV engines detect them; those that do categorize them as adware/spyware or potentially unwanted programs (PUPs).
  • Each of the binaries is code signed (Versign class 3).
  • Each makes a common series of registry changes used to significantly downgrade the security setting of Internet Explorer.
Pay-Per Install Economy
From the binaries we pulled (see above), we can see evidence that these typo sites are being used as vast "install funnel" for driving a pay-per-install profit chain.

The overall PPI economy has distinctive roles that we can map to what we have seen so far in our review.
 While initiation of the the chain starts with the typo-squatter install funnel, the money actually flows from the "application providers" back up the chain.  

The application providers buy access into the PPI provider's affiliate network and use of their installation framework. In many cases their purchase can be specific to a region for the installation and an install target number (i.e. 1000 S. American PCs). Additionally, the PPI provider also frequently offers free software that is bundled/bound with the app. providers own code.   In turn, the PPI providers issue payment to our  typosquatters who can drive vast amounts of traffic and downloads to catalyze the overall chain.

For the end-user who was tricked into installing the PPI installer software, there really is no good outcome.  At best, they may have some adware or spyware that mucks things up a bit and of course they had no intention of installing to start with.   However at worse, malware authors have also for many years leveraged PPI networks as quick ways to build/grow their botnet.




Who Is Involved In This?
It is easy to spot the PPI provider companies whose installers are getting used as well many companies whose adware/spyware is piggy-backing on these initial installs.  However, it is considerably harder (and therefore more interesting)  to look at who may be behind all of the large number of typo domains that are being used to form the install funnel. One reason these companies are harder to find is that their litigation risks are quite significant due to claims of trademark infringement in addition to formal domain name disputes.  Also a significant measure of their value to the PPI chain is their resilience to disruption or take-down attempts.

To dig a little deeper, we can turn to Maltego  for some help with quick OSINT (report file here).

Looking at the nodes associated with the typo-domains we can find some clear relationships and trends that stand-out:

  1. Hosting Trends - The domain use round-robin DNS between the IPs (23.23.210.22 / Amazon EC2 - virustotal / urlquery  and 74.86.197.160/ Softlayer - virustotal / urlquery ) .  Of note, the whois record for 74.86.197.160 contains a rwhois referral which shows that PPX International Limited (now YTZ Management) as the organization responsible for the IP.
%rwhois V-1.5:003fff:00 rwhois.softlayer.com (by Network Solutions, Inc. V-1.5.9.5)
network:Class-Name:network
network:ID:NETBLK-SOFTLAYER.74.86.192.0/19
network:Auth-Area:74.86.192.0/19
network:Network-Name:SOFTLAYER-74.86.192.0
network:IP-Network:74.86.197.160/30
network:IP-Network-Block:74.86.197.160-74.86.197.163
network:Organization;I:PPX International Limited
network:Street-Address:250 Lytton Blvd
network:City:Toronto
network:State:ON
network:Postal-Code:M5N1R6
network:Country-Code:CA
network:Tech-Contact;I:[email protected]
network:Abuse-Contact;I:[email protected]
network:Admin-Contact;I:IPADM258-ARIN
network:Created:2010-11-19 15:00:01
network:Updated:2011-02-01 20:47:57
network:Updated-By:[email protected]


      2. Registrar Trends - Almost all domains use private registration and Internet.bs as the registrar.

     3.  DNS Trends - Most domains are using DomainManager as the authoritative nameservers.

If you research these three companies, you'll find they are tightly clustered together both terms of their history, investors, and leadership.  These companies are backed by folks who have been in the domain business for many years.  Evidence suggests that they are currently major players whose services are collectively being used to support a platform for aggregating untargetted traffic and focusing it into the PPI pipeline.

Conclusion
Typo-squatters and commercial PPI companies represent themselves as being engaged in legitimate businesses.  It worth noting that this legitimate business seems to require frequent adoption of techniques used to evade attempts to block or shutdown these services (off-shore bullet proof hosting, url redirection, binary packing).  Irregardless of questions of legality (variance in international laws), the use of misleading tactics to trick users into installing software is far from honorable and can results in serious loss of productivity.  If you've ever had to help a family member clean up after one of these installers pushed adware/spyware to a system you know just how ugly and frustrating this can be (example below).

More seriously however,  the success of using typo sites to increase the number of systems tied to a PPI network only increases incentive for cyber-criminals to view these networks as viable delivery vehicles for widespread use.   If  a PPI commercial provider can offer you access to hundreds of thousands of systems in affluent regions, then  you can potentially from nothing to a major botnet very quickly.   Research conducted in 2011 (see some the links below) clearly demonstrated that commercial PPI installers are a common target for infiltration and use for infection.


Further Readings/References

Juan Caballero, Chris Grier, Christian Kreibich, and Vern Paxson 

MIT Technlogy Review: Most Malware Tied to 'Pay-Per-Install' Market

"Hacker-Howto" PPI  + Malware Redistribution:



Posted by at
Labels: , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)