Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    November 2014
    S M T W T F S
    « Oct    
     1
    2345678
    9101112131415
    16171819202122
    23242526272829
    30  
  • About Us

    In order to monetize their malicious activities, botnet operators, spammers, and those behind blackhat search engine optimization (SEO) campaigns create accounts with a network of FAKEAV affiliates. These affiliates supply URLs to landing pages that display false antivirus scanners and that attempt to scare users into installing rogue antivirus software. If users purchase the fake product, the FAKEAV affiliate’s client (e.g., a botmaster) receives a portion of the income generated.

    This post analyzes the operations of one FAKEAV affiliate, which has been a past supplier of the KOOBFACE botnet as well as a prolific blackhat SEO operation.

    Between March 7 and April 19, 2011, 890 domain names were collected from the source URL that this FAKEAV affiliate provides to its clients. This figure reflects the .com, .org, and .net domains and does not include domains such as co.cc that were also collected. We then found that the majority of the domain names are propagated a day after they are registered. A significant number of domains are distributed on the same day they are registered.

    • 30 domains propagated in negative days (3.3 percent)
    • 246 domains propagated on the same day (27.6 percent)
    • 588 domains propagated the next day (66.0 percent)
    • 13 domains propagated after two days (1.4 percent)
    • 1 domain propagated after three days (0.1 percent)
    • 3 domains propagated after seven days (0.3 percent)

    Interestingly, some domains were propagated prior to registration. This fact, combined with the number of incremental domains (the same domains with incremented numbers appended), indicates that FAKEAV affiliates have an automated domain registration system. They registered an average of 20 domains a day.

    However, there were also fluctuations in the number of domains registered. For example, 44 domains were registered on March 27 while only one was registered on April 17. Typically, the affiliate registers domains with two or three different registrars each day. However, on March 31, they registered domains across seven different registrars.

    The top 10 registrars used were:

    NETWORK SOLUTIONS LLC 391
    TUCOWS INC. 107
    GODADDY.COM INC. 85
    DIRECTNIC LTD. 74
    WILD WEST DOMAINS INC. 55
    NAMESECURE LLC 40
    ENOM INC. 30
    NETWORK SOLUTIONS LLC 28
    FASTDOMAIN INC. 20
    ABOVE.COM PTY. LTD. 17

    They also used 127 different email addresses to register the domains. However, when privacy protection email messages are removed, the attackers used 39 unique Yahoo! Mail addresses for 559 domains. On average, each address was used to register 14 domains. The highest total for a single email address was 44 domains and the lowest was one. Typically, the email addresses are used on a single day with a single registrar and are not reused. This FAKEAV affiliate is limiting the risk of discovery by spreading the registration of their malicious domains across multiple registrars and email addresses.

    FAKEAV variants are distributed through an affiliate model in which a centralized location feeds malicious URLs and binaries to clients who propagate these links through their own methods. These affiliates have the capacity to register numerous domain names using different email addresses. They are also quickly propagated after registration. Thus, identifying the source of the FAKEAV domains and not just the botnets that distribute them is important in combating this threat.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon






     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice