Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    Author Archive - Feike Hacquebord (Senior Threat Researcher)

    On November 8, a long-living botnet of more than 4,000,000 bots was taken down by the FBI and Estonian police in cooperation with Trend Micro and a number of other industry partners.

    In this operation, dubbed “Operation Ghost Click” by the FBI, two data centers in New York City and Chicago were raided and a command & control (C&C) infrastructure consisting of more than 100 servers was taken offline. At the same time the Estonian police arrested several members in Tartu, Estonia. Here is the link to the press release of the FBI.

    The botnet consisted of infected computers whose Domain Name Server (DNS) settings were changed to point to foreign IP addresses. DNS servers resolve human readable domain names to IP addresses that are assigned to computer servers on the Internet. Most Internet users automatically use the DNS servers of their Internet Service Provider.

    DNS-changing Trojans silently modify computer settings to use foreign DNS servers. These DNS servers are set up by malicious third parties and translate certain domains to malicious IP addresses. As a result, victims are redirected to possibly malicious websites without detection.

    A variety of methods of monetizing the DNS Changer botnet is being used by criminals, including replacing advertisements on websites that are loaded by victims, hijacking of search results and pushing additional malware.

    Click for larger view Read the rest of this entry »


    In this blog post, we present concrete evidence that the recent compromise of Dutch certification authority DigiNotar was used to spy on Iranian Internet users on a large scale.

    We found that Internet users in more than 40 different networks of ISPs and universities in Iran were met with rogue SSL certificates issued by DigiNotar. Even worse, we found evidence that some Iranians who used software designed to circumvent traffic censorship and snooping were not protected against the massive man-in-the-middle attack.

    Rogue SSL Certificates for Man-in-the-Middle Attacks

    SSL certificates are used for secure Web sessions like Internet banking and Google’s Gmail. Certification authorities issue and check the authenticity of SSL certificates. In July 2011, hackers managed to create rogue SSL certificates for hundreds of domain names, including and even the entire .com top-level domain by breaking into the systems of certification authority DigiNotar in the Netherlands. This is very dangerous, as these rogue SSL certificates can be used in man-in-the-middle attacks wherein encrypted secure Web traffic can be read by a third party.

    On August 29, 2011, the rogue SSL certificate issued by DigiNotar was discovered. This rogue certificate makes snooping on Gmail traffic possible in man-in-the-middle attacks. Trend Micro has concrete evidence that these man-in-the-middle attacks indeed happened in Iran on a large scale.

    Our evidence is based on data that the Trend Micro Smart Protection Network has collected over time. The Trend Micro Smart Protection Network constantly analyzes data from the feedback of millions of customers around the world, including what domain names are accessed from which parts at a particular time. This feedback data makes it possible to protect against newly seen attack vectors in the blink of an eye.

    Read the rest of this entry »


    The WikiLeaks main domain,, currently redirects to The latter site is hosted on IP address registered to Heihachi Ltd. Heihachi Ltd. is known as a bulletproof, blackhat-hosting provider in Russia that is a safe haven for criminals and fraudsters. It hosts a long list of criminally related domains. Among these domains are banking fraud domains, carders’ (criminals who trade stolen credit card information) websites, malware sites, and phishing sites. No matter what your political view is, this is rather disturbing.

    We at Trend Micro are committed to protecting our customers against threats on the Internet. The Trend Micro™ Smart Protection Network™ automatically assigns a very low reputation score to domain name not because of political controversy but because of actual facts about the bad neighborhood where this domain name is hosted. To give you an idea, here are some illustrious neighbors:,, (phishing), and

    We don’t know whether has perhaps been compromised or whether WikiLeaks is knowingly getting services from a blackhat provider. Either way, we assess the domain as highly risky and we do not recommend visiting this site as long as it is hosted by Heihachi Ltd.


    A group of hackers recently published detailed information from an underground credit card company. On July 23, an anonymous group claimed to have compromised a server of an online credit card processor company. At that time, however, the extent of the compromise was unclear. Looking at the data that was published leads us to believe that the compromise is very plausible.

    Click for larger view

    The leaked data includes employee emails as well as recorded phone calls. A particular recorded conversation discussed the various ways of defrauding major credit card companies. Another conversation discussed Fethard, a payment service that allows anonymous payments to be made and that is often associated with money laundering and other cybercriminal activities.

    Furthermore, there are assumptions that one of the people behind the credit card processor company also serves as one of the Fethard’s owners. He has likewise been associated with a spam forum called In 2007, a large sum of money disappeared from Fethard’s funds. This has undoubtedly created problems for Fethard and has possibly pulled the mother company deeper into the cybercrime business.

    The compromised credit card company that functions as Fethard’s mother company is infamous for processing payments for FAKEAV, pharmaceuticals on spam sites, extreme pornography, and cheap MP3s. Its official headquarters is in Amsterdam in the Netherlands. However, it only has a handful of Dutch employees and the actual work is done in Russia and Latvia. The company has legitimate customers in Russia as well.

    This hacking incident would probably make a lot of cybercriminals nervous. Unfortunately, the incident also puts the personal data of legitimate customers and of many ordinary Russians at risk.

    Special thanks to all threat researchers for additional information in this post.


    This is the second part of a two-part series on browser hijacking. The first part may be found here.

    Not all traffic brokers are as unscrupulous as Onwa Ltd. Legitimate traffic brokers, however, have to be fooled into thinking that they are dealing with a legitimate party. To do this, rogue traffic brokers like Onwa Ltd. often set up a website that suggests that the broker has been running a legitimate business for a long period of time. Fake search websites are set up. These fake search websites are supposed to drive real user traffic whereas, in reality, these only form intermediary steps for click-fraud from botnets.

    As these fake search engines do not get normal visitors and as advertisers may notice this, their Alexa rankings are sometimes artificially increased. This is done by bots that automatically access Alexa URLs that determine the number of visits to a site. In addition, rogue traffic brokers often split up fraudulent traffic into smaller parts so that it looks like the traffic is coming from many different sources whereas, in reality, the vast majority of the clicks come from only a handful of botnets. If an upstream traffic buyer detects fraud, the rogue traffic broker can put the blame on a rogue affiliate and can filter one of the feeds. The cybercriminal group will thus lose only a small part of its revenue instead of losing everything.

    Browser hijackers are a noisy type of malware. Victims will soon notice that something is wrong once they see unexpected redirections. Therefore, the average life expectancy of the bots is relatively low. Figure 1 shows the life expectancy of a single bot based on historical data we were able to collect. In this case, the life expectancy of any single bot typically fluctuates between 6 and 12 days.

    To keep the size of the botnet intact, the bot herders need to constantly infect new systems. Figure 2 shows the number of new systems added to the botnet discussed here every day. Tens of thousands of new systems are infected daily. More than 2 million computers have been infected with the browser hijacker so far this year and we expect this number to reach 4 million by the end of this year.

    The browser hijackers we have been looking at come with an additional DNS changer component that changes a system’s DNS settings to point to foreign servers. The DNS servers used are hard-coded into the malware. We found that every day, the gang spreads a new malware sample that changes systems’ DNS settings to a unique pair of foreign servers.

    These servers start to resolve domain names to malicious IP addresses only after a machine has been infected for about a week. We believe that this is an attempt to extend the life span of the bots. When the browser hijacker component is removed from an infected computer, the DNS changer may still be present so the bot can still be used to hijack traffic with DNS tricks. The life span of the bots thus gets significantly enhanced.

    We expect browser hijackers to become more advanced and resilient in the future. Advanced tricks like replacing legitimate ads with foreign ones already exist today. The botnet discussed in this blog replaces Double Click ads with Clicksor ads once the rogue DNS component is activated. This is a form of stealth click-fraud that is difficult to detect on Double Click’s part. However, in this case, we believe there is no intermediate party between Clicksor and the cybercrime gang. We believe Clicksor should be able to detect this fraud. However, if rogue middlemen are used, detecting this becomes much more difficult.

    For users concerned about browser attacks, our free tool—Trend Micro Browser Guard—can be downloaded from

    Posted in Botnets | Comments Off on Making a Million, Part Two—The Scale of the Threat


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice