PPI being pay-per-install ...

This morning I saw some interesting transactions to:
hxxp://promoupdate.info/setup###.exe

where ### are numbers, for example, "519".

MD5: 1568edcd29629f577207d7396646b741

VirusTotal results 8/43 (report), detected as (among other names):
Win32:Hottrend-B

Turns out this is being spread through spammers, SEOers, etc. being financed in a PPI model, something that I have discussed before in the past. This time I have a screenshot to share related directly to the finance aspect of this particular PPI:


This post was created today. We can see from the PPI ad that those engaging in this particular campaign stand to make between $500 and $800 per 1000 installs (< $1 per install). The numbers in the executable, like "519" correspond to the account for the spammer/SEOer that is monetizing this. Domain: promoupdate.info Whois billing contact shows likely Russian affiliation: Here is the actual Affiliate Network setup by this guy:

Domain: twittre.net (private/masked Whois)
(note the RU nameservers)
Source of the twittre.net page actual reveals that the Affiliate website is loaded from rich-partners.com:
Domain: rich-partners.com
No surprise that the contact details are bogus, but the email address is legit, here's a past domain registered with these email credentials:
Robtex shows these other domains (all likely other PPI sites) on 91.188.60.10 (Sagade Ltd. <- not a surprise for some) in Latvia, hosting promoupdate.info:

One Version of the WebScan interface on an HP scanner

Scanning functionality in an alternate UI

Web servers have become commonplace on just about every hardware device from printers to switches. Such an addition makes sense as all devices require a management interface and making that interface web accessible is certainly more user friendly than requiring the installation of a new application. Despite typically being completely insecure, such web servers on printers/scanners are generally of little interest from a security perspective, even though they may be accessible over the web, due to network misconfigurations. Yes, you can see that someone neglected to replace the cyan ink cartridge but that's not of much value to an attacker. However, that's not always the case. I was recently looking at a newer model of an HP printer/scanner combo and something caught my eye. HP has for some time, embedded remote scanning capabilities into many of their network aware scanners, a functionality often referred to as Webscan. Webscan allows you to not only remotely trigger the scanning functionality, but also retrieve the scanned image, all via a web browser. To make things even more interesting, the feature is generally turned on by default with absolutely no security whatsoever.

The Insider Threat
With over $1B in printer sales in Q3 2010 alone, and with many of those devices being all-in-one printers, running across an HP scanner in the enterprise is certainly very common. What many enterprises don't realize, is that their scanners may by default allow anyone on the LAN to remotely connect to the scanner and if a document was left behind, scan and retrieve it using nothing more than a web browser. Ever left a confidential document on the scanner and sprinted back to retrieve it when you realized? Thought so.

Want to know if your office LAN has any wide open HP scanners running? Run this simple Perl script to to determine if there are any devices on the local network running HP web servers.


As everything is web based, an enterprising but disgruntled employee could simply write a script to regularly run the scanner in the hopes of capturing an abandoned document. The URL used to send the web scanned documents to a remote browser is also completely predictable as shown:

http://[Scanner IP]/scan/image1.jpg?id=1&type=4&size=1&fmt=1&time=[epoch time]

A script could therefore also be written to run once per second to capture any documents scanned using the Webscan feature.

The External Threat

Status screen

It's bad enough that many enterprises are running scanners that are remotely accessible by rogue employees, but what if those same scanners were accessible to anyone on the Internet? Whether intentionally set up as such or more likely accidentally exposed via a misconfigured network, there are numerous scanners exposed on the Internet, the majority of which are not password protected. In fact, HP kindly lets you know on the home page if sensitive functionality is password protected, by displaying the Admin Password status alongside other status information such as printer ink levels and the current firmware version. Interestingly, based on the sample set examined, there was a greater likelihood that HP Photosmart scanners were not locked down as opposed to Officejet scanners. This finding actually makes sense, given that Officejet scanners tend to be marketed to corporate users, a group that is hopefully more likely to implement security protections on hardware/software.

Likelihood of Admin password being set on scanner types identified

Example Google/Bing queries used to identify open scanners:

• "Estimate only. Actual ink levels may vary."
• inanchor:"page=printerInfo"
• "Estimated Ink Levels" "HP Photosmart" "Items Needing Attention"
• hp photosmart status "product serial number" "product model number"
• inurl:index.htm?cat=info&page=printerInfo
• inbody:"Estimated Black Ink Level"

Often, open-source information helps to confirm our suspicion about certain web transactions being tied to an infection or download of something malicious. While conducting analysis on the results from some of my scripts that extract out potentially suspicious web transactions, I found web transactions that appear to be tied to a bot with keylogger / drop site functionality. Searching for open-source information reveals little to no information on the server or threat.

The infected host does an HTTP POST every 5 minutes to the URL:

hxxp://216.108.234.168/scr1p7-r5.php

The IP is part of a US netblock, Las Vegas NV Datacenter PREMIANET, swipt out to a customer in the Ukraine (UA):

Vladimir Miloserdov SERVERPOINT-CUSTOMER-SYNEJY (NET-216-108-234-166-1) 216.108.234.166 - 216.108.234.197

Here is the customer information for this small netblock:

CustName: Vladimir Miloserdov
Address: So,136
City: Donetsk
StateProv: DN
PostalCode: 83054
Country: UA
RegDate: 2009-05-24
Updated: 2009-05-24

Below is a snippet of the transactions seen.
Notice that the size of the POST is larger than the response from the server - over 20000 bytes compared to a very short response of 168 bytes. This means that the client is regularly pushing a fair amount of data somewhere and not receiving anything other than a very simple acknowledgment back. In the case of a normal web application, pushing data to a server usually has a larger response such as a webmail or blog interface.


Visiting 216.108.234.168 responds with the default Apache response “It works!”

Open-source searches show that the IP is blocked in a few block lists due to spam, e.g., Project Honeypot.

At a minimum this netblock is suspicious and should be alerted/blocked within your organization.

Reaching out to some colleagues, helped to reveal that this beaconing is likely tied to the Swarft Banking Trojan due to the “scr1pt7-r#.php” phone home URL path. This is a relatively new Trojan family, the Microsoft threat entry states, that the Trojan steals data that may “include credit card numbers, tax returns, login credentials or any other informed deemed to be of interest to the attacker. The collected data is then surreptitiously sent to the remote attacker via a variety of electronic means.” Technical details of the Trojan do not appear to be readily available in the open-source- I am in the process of back tracking and reaching out to the impacted customer to get additional information on the Trojan and the incident. Any new details will be shared in a follow-up post.

Also, if anyone has details on the above-mentioned netblock or Swarft Trojan, feel free to post a comment.

Last week I wrote about 3 million fake YouTube pages leading to fake antivirus pages. The day after the blog was published, they seemed to be gone from the Google index,  as search results were showing only 2 to 4 of the malicious pages. But now...they are back again.

After my last post, some questioned whether or not there were actually 3 million fake YouTube pages in the google index. In fact, Google contacted me to suggest that there were only 77 results. I disagree. Why isn't the total number of results straight forward? Although Google's search results may state that approximately 3 million results exist, the search engine won't actually deliver that number of raw results. Given that fact, how can we know the total number of pages currently indexed by Google for a particular query? Only Google know the exact number, but by issuing various different types of queries, we can make a reasonable estimate.

Attempt to get all pages

Since all the pages contain "page.php?page=" in the URL, and "Hot Video" in the title, we can try a single query to find all of them with: inurl:"page.php?page=" "hot video"

The Google search results currently show "About 2,990,000 results" (the number varied between 2.8 million and .4 million), but there are only 8 pages of results (90 links) shared, or 12 pages (121 links) if we click on " repeat the search with the omitted results included". 

3 million fake YouTube pages?

It may look like Google has indexed "only" 121 fake "Hot Video" pages (despite suggesting ~3 million results), but other queries paint a different picture.

Domain query

Let's take the first domain hosting malicious pages from the first query: addisonhouse.com.

To find out the number of fake YouTube pages hosted by this domain, we can try the following query: site:addisonhouse.com "hot video"

Google states that there are "About 7,850 results" but actually shares 51 pages of results (512 links).

For the domain memoryshack.net, Google indicates "About 204 results" and provides a total of 204 links for this search. For the domain theochristi.com, I get 245 results, etc.

"Hot Video" pages hosted on addisonhouse.com

A first estimate

An initial estimate can be obtained by multiplying the number of domains seen in the first query by an average of 250 pages. This gives an estimate of the minimum number of pages in Google's index. The real number is very likely much higher.

The 90 results form the first query show 90 different domains. This means there are at least 90 * 250 = 22,500 pages.

Many more domains

Are there only 90 domains infected with "Hot Video" pages as the first query suggested? Unfortunately, there are many more. Fake pages are being created for each search term found in Google Hot Trends.

For example, I checked a search that was popular 6 days ago: erica blasberg "hot video". On page 2, I found a fake YouTube page on a domain that is not listed in the first query: elijasalud.com.
On page 3 of the results, there is another domain not seen in the first query: sklep.aicom.com.pl.
etc.

New domain infected shown for a different search

Google has clearly indexed more than 90 infected domains, but it remains difficult to know the exact number.

How many could there be?

Attackers create one "Hot Video" pages for each popular search as shown in Google Hot Trends. There are 20 hot searches each day, but one search can be popular for several days. I've checked a few infected domains, and found pages created for searches popular on June 1st. So there are pages for at latest 90 days of popular trends on each domain.

That gives us 90 * 20 = 1,800 pages. Assuming that a few search terms that are popular over several days, we can use an estimate of 1,500 pages per domain. If Google indexed (only) 100 of these domains, that would be 150,000 fake Video pages.

Only Google knows the exact number of infected domains indexed, and the total number of malicious pages. We estimate that they have at the very least , 22,500 such malicious pages in their index. The number of 3 millions "Hot Video" page is not however inconceivable. It means Google would have indexed:

• 2,000 infected domains with 90 days worth of Google Hot Trends
• or 1,250 infected domains with 120 days worth of Google Hot Trends

"Hot Video" in action

Here is a video of a user browsing a "Hot Video" page, and being redirected to a fake AV page. Then I uploaded the malicious executable to VirusTotal - sadly, only 20% of the antivirus vendors detect the malware.


-- Julien