In order to monetize their malicious activities, botnet operators, spammers, and those behind blackhat search engine optimization (SEO) campaigns create accounts with a network of FAKEAV affiliates. These affiliates supply URLs to landing pages that display false antivirus scanners and that attempt to scare users into installing rogue antivirus software. If users purchase the fake product, the FAKEAV affiliate’s client (e.g., a botmaster) receives a portion of the income generated.
Between March 7 and April 19, 2011, 890 domain names were collected from the source URL that this FAKEAV affiliate provides to its clients. This figure reflects the .com, .org, and .net domains and does not include domains such as co.cc that were also collected. We then found that the majority of the domain names are propagated a day after they are registered. A significant number of domains are distributed on the same day they are registered.
- 30 domains propagated in negative days (3.3 percent)
- 246 domains propagated on the same day (27.6 percent)
- 588 domains propagated the next day (66.0 percent)
- 13 domains propagated after two days (1.4 percent)
- 1 domain propagated after three days (0.1 percent)
- 3 domains propagated after seven days (0.3 percent)
Interestingly, some domains were propagated prior to registration. This fact, combined with the number of incremental domains (the same domains with incremented numbers appended), indicates that FAKEAV affiliates have an automated domain registration system. They registered an average of 20 domains a day.
However, there were also fluctuations in the number of domains registered. For example, 44 domains were registered on March 27 while only one was registered on April 17. Typically, the affiliate registers domains with two or three different registrars each day. However, on March 31, they registered domains across seven different registrars.
The top 10 registrars used were:
|NETWORK SOLUTIONS LLC||391|
|WILD WEST DOMAINS INC.||55|
|NETWORK SOLUTIONS LLC||28|
|ABOVE.COM PTY. LTD.||17|
They also used 127 different email addresses to register the domains. However, when privacy protection email messages are removed, the attackers used 39 unique Yahoo! Mail addresses for 559 domains. On average, each address was used to register 14 domains. The highest total for a single email address was 44 domains and the lowest was one. Typically, the email addresses are used on a single day with a single registrar and are not reused. This FAKEAV affiliate is limiting the risk of discovery by spreading the registration of their malicious domains across multiple registrars and email addresses.
FAKEAV variants are distributed through an affiliate model in which a centralized location feeds malicious URLs and binaries to clients who propagate these links through their own methods. These affiliates have the capacity to register numerous domain names using different email addresses. They are also quickly propagated after registration. Thus, identifying the source of the FAKEAV domains and not just the botnets that distribute them is important in combating this threat.