Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    August 2015
    S M T W T F S
    « Jul    
  • Email Subscription

  • About Us

    Author Archive - Feike Hacquebord (Senior Threat Researcher)

    Most cybercrime gangs are not interested in just making a quick profit or in retiring early. They treat cybercrime as a serious and lucrative business venture and are happy to patiently expand their criminal networks while trying to hide their malicious activities from the rest of the world. In this blog post, we discuss how a criminal network may earn just a couple of dollars from each victim. However, by victimizing many users, it can earn millions of dollars in profit annually. These activities are based on a business model that involves rogue traffic brokers and defrauding reputable brand names.

    The networks these cybercriminals use can consist of more than 100 servers that are hosted in various data centers around the world. Some Internet gangs have millions of dollars in liquid assets, which enables them to make substantial investments in new criminal activities that promise huge returns. The collateral damage their activities cause is thus huge.

    Figure 1 shows the size of a particular botnet between March 2010 and the end of July 2010. As shown, the botnet’s size has fluctuated over time; it currently comprises around 150,000 bots. This is not a huge botnet but it still generates multimillion dollars in revenue per year.

    Browser hijacker Trojans refer to a family of malware that redirects their victims away from the sites they want to visit. In particular, search engine results are often hijacked by this type of malware. A search on popular search engines like Google, Yahoo!, or Bing still works as usual. However, once victims click a search result or a sponsored link, they are instead directed to a foreign site so the hijacker can monetize their clicks.

    Browser hijackers are popular because search result clicks convert well. It is a lucrative and an easy way to capitalize on the success of legitimate search engines. With a network of 150,000 bots, gangs can make several millions of U.S. dollars every year from hijacking search results alone. The price per stolen click strongly depends on the keywords used. We have seen an average of US$0.01–0.02 per click although this rises to more than US$2 dollars for words or phrases like “home-based business opportunities” or “loans.” For the earnings of a hijacking botnet that has hijacked more than 1 million clicks in one day—July 20, 2010—see the chart below.

    To monetize the stolen clicks, the hijacker usually sells the fraudulent clicks collected to a traffic broker. This broker resells the traffic again to legitimate parties like Yahoo!, Google, or For example, we have seen that Yahoo! search result clicks were resold back to Yahoo! via an intermediate traffic broker. In another example, stolen Google clicks were resold to LookSmart.

    Selling stolen traffic to legitimate parties like Google, Overture (Yahoo!), or LookSmart is not trivial, however, as these companies have advanced tools to detect fraud. Therefore, most traffic hijackers make use of a broker, which collaborates with them to optimize their traffic feeds and to find the best buyers. Some traffic brokers can’t be trusted and are part of fraudulent schemes themselves. For example, a traffic broker called “Onwa Ltd.” based out of St. Petersburg in Russia must have full knowledge of the fraudulent nature of the traffic it resells. This is because the broker writes and sells back-end software for obscure, fake search engines that form a facade for click-fraud. (Onwa Ltd. also has shell companies in the United Kingdom and Seychelles.) See figure 2 for an example.

    Click for larger view

    In addition, Onwa Ltd. has also set up its own infrastructure for spoofed Google websites. This particular broker has been around since at least 2005 and, possibly, even as early as 2003. The other company names this group uses include “Uttersearch,” “RBTechgroup,” and “Crossnets.” One of their corporate pages is shown in Figure 3.

    Click for larger view

    This is the first part of a two-part series on browser hijacking. Part Two, entitled “The Scale of the Threat,” may be found here.

    Posted in Botnets | Comments Off on Making a Million, Part One—Criminal Gangs, the Rogue Traffic Broker, and Stolen Clicks

    Click for larger viewTartu, Estonia is the hometown of an Internet company that, from the outside, looks just like any other legitimate Internet service provider (ISP). On its website (see Figure 1), the company lists services such as hosting and advertising. According to publicly available information, it posted more than US$5 million in revenue and had more than 50 employees in 2007.

    In reality, however, this company has been serving as the operational headquarters of a large cybercrime network since 2005. From its office in Tartu, employees administer sites that host codec Trojans and command and control (C&C) servers that steer armies of infected computers. The criminal outfit uses a lot of daughter companies that operate in Europe and in the United States. These daughter companies’ names quickly get the heat when they become involved in Internet abuse and other cybercrimes. They disappear after getting bad publicity or when upstream providers terminate their contracts.

    Some of the larger daughter companies survived up to 5 years, but got dismantled after they lost internet connectivity in a data center in San Francisco, when webhosting company Intercage went dark in September 2008, and when ICANN decided to revoke the company’s domain name registrar accreditation.

    This caused a major blow to the criminal operation. However, it quickly recovered and moreover immediately started to spread its assets over many different webhosting companies. Today we count about 20 different webhosting providers where the criminal Estonian outfit has its presence. Besides this, the company own two networks in the United States.

    We gathered detailed data on the cyber crime ring from Tartu and found that they control every step between driving traffic to sites with Trojans and exploiting infected computers. Even the billing system for fake antivirus software that is being pushed by the company is controlled from Tartu. An astonishing number of 1,800,000 Internet users were exposed to a bogus “you are infected” messages in July 2009 when they tried to access high traffic pornography sites.

    Click for larger view Click for larger view

    For a detailed analysis, please read our whitepaper: A Cybercrime Hub available at TrendWatch.


    Today Trend Micro researchers discovered a spoofed (fake) version of the popular Russian social networking site Visitors of the spoofed site risk exposing their personal login credentials to a third party. is roughly the Russian equivalent of Facebook and is very popular in Russian-speaking countries. According to the site itself it has more than 35 million users. Alexa ranks the site as the second most visited site in Russia.

    The infamous UkrTelegroup rogue DNS servers resolve domain name to a foreign IP address beginning today. These rogue DNS servers belong to the most prevalent DNS Changer Trojans (like TROJ_DNSCHANG) that modify DNS settings of victims to point to foreign IP addresses. DNS Trojan victims are at great risk, because the controllers of the rogue DNS servers can send them to any site at any time, thus exposing the victims to possible information theft, fraudulent traffic and malicious URLs.

    Click for larger view

    Click for larger view

    Apparently the number of Russian-speaking DNS Changer victims has reached critical mass, so that it becomes profitable to spoof Russian sites as well. Earlier we saw only about 60 Russian porn sites that got rogue resolution by the UkrTelegroup gang in a click fraud scheme, but now they are taking interest in spoofing Russian high-traffic sites like this social networking website.

    Apart from personal information leakage, Internet users who visit the spoofed version of will see a “pop-under” box that advertises a different social networking site called through an intermediary site named According to is the second most visited website in Russia. Alexa however does not have statistics yet on

    Special thanks to Senior Threat Researcher Max Goncharov for additional information in this post.


    Last Saturday, California-based Web hosting company Intercage dropped off the Internet because its upstream provider PIE decided to terminate its services. All servers became unreachable as IP addresses were no longer routed to the Internet. They found a new upstream provider last Monday, after being offline for more than 36 hours. Traffic to and from Intercage appears absent as of this writing, probably because of filtering by a large Internet carrier higher upstream.

    The Web hosting company got bad publicity from recent blog postings written by Washington Post reporter Brian Krebs. He cited a research article that dubbed Intercage as a major host of malware. The article criticized the Web host for selling services to Esthost, an Estonian Web hosting reseller and domain site registrar accused of helping cyber criminals by allowing them to register domain names anonymously.

    A well-known fact among security researchers is that Intercage IP space has had a remarkable concentration of cybercrime throughout the last four years. But Intercage is not alone; there are more Web hosting companies in the US and Europe that seem to have persistent problems with their customer base.

    On this blog, we have written a few times on the so-called rogue DNS (Domain Name System) network of ZLOB. We have shown that this network is using DNS tricks for a massive click fraud scheme targeting legitimate advertising companies and search engines. We also showed that the rogue DNS network can lead to leakage of personal information of ZLOB victims.

    We monitored the rogue DNS network of ZLOB after Intercage went offline. Last week, we counted 1178 live rogue DNS servers related to ZLOB. These rogue DNS servers resolved more than 14,000 domain names (including high-profile sites and major search engines) to 200+ malicious IP addresses. After Intercage disappeared from the Internet we looked again: since last Sunday, 655 rogue DNS servers are down. Many spoofed sites related to ZLOB also disappeared because they were all hosted by Intercage.

    Last Monday, we noticed a very slow recovering of the rogue DNS network. Some of the spoofed search engine Web sites became live again, but now in a data center operated by located in the east coast of the US.

    We expect that in the coming days more of the rogue DNS network of ZLOB will move elsewhere, simply because the bad guys do not want to miss their ill-gained revenues.


    More than a year ago, Trend Micro threat researchers uncovered a network of over 900 rogue DNS (Domain Name System) servers related to the ZLOB Trojan family. We gave examples showing that these rogue DNS servers are part of click fraud and leakage of personal information.

    Just recently, however, we discovered that this network is now targeting four of the most popular search engines. In a large scale click fraud scheme, the ZLOB gang appears to hijack search results and to replace sponsored links with DNS “tricks”.

    DNS is essential for the Internet to work. DNS servers translate domain names into IP addresses (and vice versa), which are assigned to computers connected to the Internet. This translation into IP addresses makes it possible for browsers to load Web sites from the correct computers. Most Internet users automatically use the DNS servers of their ISPs (Internet Service Providers), and implicitly trust that these DNS servers give back correct results. In the event that DNS settings get changed to point to a fraudulent or malicious server, the victim may be unknowingly redirected to any (potentially malicious) computer server at anytime while browsing the Internet.

    These ZLOB Trojans we found, silently change the local DNS settings of affected systems to use two out of the abovementioned 900+ rogue DNS servers. These Trojans spread by advanced social engineering tricks; an example would be professional-looking Web sites that promise Internet users access to pornographic movies after installing malware that pose as video codecs. The number of ZLOB-related infections is huge — for the last six months of 2007, Microsoft reported more than 14,000,000 infections.

    It now appears that the ZLOB gang has entered the multibillion-dollar search engine market. ZLOB’s rogue DNS servers resolve several domain names of the main engines to fraudulent IP addresses. Among others, this criminal operation has even set up rogue sites of the UK and Canadian versions of one of the largest search engines. Even searches performed via the installed browser toolbar (provided by the same company) are now being hijacked by ZLOB. Another popular search engine company has been hit even harder — most, if not all, domain names of the search engine that give back search results get resolved to fraudulent Web sites by the rogue DNS servers.

    The primary objective of ZLOB here appears to be stealing traffic and clicks from search engines, making money along the way. Affected users are immediately redirected to sites that are not at all related to their original search queries. All sponsored search hits of the two main search engines we analyzed were hijacked by ZLOB. Clicks on sponsored links then are not credited to big search engine companies, but to the ZLOB gang instead.

    Although Trend Micro sees incidents of spoofed Web sites (like those of banking companies) regularly, the scale of ZLOB’s click fraud with search engines looks unprecedented. As mentioned above, the number of the gang’s victims is believed to be huge. Unfortunately, the rogue DNS network of ZLOB is several years old, stable, and is still expanding.

    While much of the ZLOB malware is widely detected, there are occasionally new variants created to evade detection, which may temporarily slip through and victimize unwitting users. From the time this new malware is released by these criminals, until the time it is detected, however, these criminals are trying to exploit this window of opportunity.

    We have taken steps to get in touch with our security contacts at each of the affected search engine companies, but alas, there is not much that they can do about the problem, since the DNS “hijacking” is being done locally on computers which are victimized by a ZLOB Trojan.

    Meanwhile, Trend Micro customers are protected from being victimized by malware and malicious Web sites by the Smart Protection Network. Updates on this developing issue will be posted as soon as they are available.



    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice