Malvertising on Yahoo YieldManager, spreading ransomeware acting as Federal German Police (BKA)--Help solve the puzzle!

Help us solve the puzzle!
(credits: Wayne Huang, Chris Hsiao, NightCola Lin)

Over the past few days, our HackAlert scanning farm has constantly detected malvertising on Yahoo YieldManager (RightMedia). Since YieldManager is one of the world's largest ad networks, websites worldwide, big and small, have all been hit. Fortunately, the exploit server is only serving the malware to German visitors.

In our following video, we demonstrated how Ziddu was thus infected to serve this German ransomware to its visitors. According to CheckSiteTraffic.com, Ziddu enjoys 1,492,133 page views and 364,825 unique visitors per day.

The malware pretends to be a crime-detection software from the Federal German Police. It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."

A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.
(Above: ziddu.com hit by malvertising on Yahoo YieldManager (RightMedia)

(Above: Even Japanese sites were hit)

(Above: The installed Ransomeware--acting as Federal German Police (BKA))


Below is our video report:


Table of contents
[Summary]
[Attack Trace]
[Malvertising Analysis--The Puzzle]
[The malware]

[Summary]

Incident type: Malvertising
Incident subtype: Drive-by download, ransomware
Responsible ad network: Yahoo YieldManager (RightMedia)
Affected websites: Very large websites like ziddu.com to worldwide websites large and small. Ziddu for example has 1,492,133 page views and 364,825 unique visitors per day.
Affected visitors: German visitors only
Fake advertiser: kineticgames.info
Exploit server: BlackHole exploit pack running on town.incredibleoutcomes.com
Malicious domains:
kineticgames.info (184.172.216.234, ASN 36351, US Dallas)
sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)
town.incredibleoutcomes.com (195.200.90.129, ASN 35524, Ukraine)
bundespol.net (188.229.97.2, ASN 44872, Romanina)

Associated names and emails:
einzahlung@bundespol.net
Vasiliy Pushkin, vasili006@gmail.com
Piotr Pushkin, pppiotr88@gmail.com

[Attack Trace]
Using ziddu.com as example.

Link 1: (Publisher)
Ziddu's website includes the following ad tag:
<IFRAME FRAMEBORDER=0 MARGINWIDTH=0 MARGINHEIGHT=0 SCROLLING=NO WIDTH=728 HEIGHT=90 SRC="http://ad.globe7.com/st?ad_type=iframe&ad_size=728x90&section=836122"></IFRAME>
Link 2: (Ad Network) http://ad.globe7.com/st?ad_type=iframe&ad_size=728x90§ion=836122 is loaded, which contains javascript that generates an iframe to:

Link 3: (Ad Network) http://ad.globe7.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which throws back an HTTP 302 redirect to:

Link 4: (Ad Network) http://ad.yieldmanager.com/imp?Z=728x90&s=836122&_salt=2314211323&B=10&u=http%3A%2F%2Fwww.ziddu.com%2F&r=0, which contains javascript that generates an iframe to:

Link 5: (Ad Network) http://ad.globe7.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which throws an HTTP 302 redirect to:

Link 6: (Ad Network) http://ad.yieldmanager.com/iframe3?2YA.ABrCDABgVKUAAAAAAMWJKAAAAAAAAgAEAAYAAAAAAP8AAAACBvPdGQAAAAAAIrsPAAAAAACYIzUAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABZlQYAAAAAAAIAAwAAAAAAASuHFtnOtz8BK4cW2c63PwErhxbZzsc.ASuHFtnOxz8zMzMzMzPTPzMzMzMzM9M.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACkuxJPXfCjCqRit3MeuQtEnvXOi1a6Cp0X0hsNAAAAAA==,,http%3A%2F%2Fwww.ziddu.com%2F,B%3D10%26Z%3D728x90%26_salt%3D2314211323%26r%3D0%26s%3D836122,a5451910-d1f1-11e0-906f-87d5341e0e89, which contains javascript that a) displays the malicious ad, and b) generates an iframe to the exploit server. Note the iframe URL ends with .jpg in order to disguise and be less obvious.
(full copy-able text can be found on snipt here>
Link 7-a: (Fake Advertiser, Creative) http://kineticgames.info/images/728x90-1-1.gif, which is the actual malicous creative (malvertisement).
Link 7-b: (Fake Advertiser, malicious script) http://kineticgames.info/pubage/728x90.jpg, although the URL ends in .jpg, it's actually serving HTML containing an iframe pointing to:

Link 8: (Malicious redirector) http://sahoreen.in/hitcounter.php?u=pubage, which contains an iframe pointing to:

Link 9: (Malicious redirector) http://belygaur.in/ts/in.cgi?pubage, which throws an HTTP 302 redirect pointing to the exploit server:

Link 10: (Exploit server) http://town.incredibleoutcomes.com/index.php?tp=7058439543afabcf, serves BlackHole exploit pack. This isn't a malicious domain registered by the attacker, but a legitimate but compromised domain.

[Malvertising Analysis--The Puzzle]

Below are some causes of malvertising:

a) The attacker pretends to be a legitimate advertiser, submits a malicious ad (malvertisement) to an ad network, and tricks the ad network into accepting the submission.

b) The ad network was compromised, and the attacker injected malicious scripts into a link in the ad-serving chain.

So which case is this? Well for this particular case, it was a bit difficult for us to determine.

Upon first look, it seems to be case (a), because the advertiser in this case--kineticgames.info (184.172.216.234, ASN 36351, US Dallas), has a whois record with a Russian name and street address, yet is using an US IP and an Indian domain name for its name server (ns1.plumdook.in).

HOWEVER, the domain was registered on Aug 9th, 2010, which was a year ago, and from the screenshot below you can see that it sees to be quite a legitimate website:
Compared to many malvertising incidents we've studied, most fake domains will have been registered very recently and will either not have any website content, or will have content illegally mirrored (copied) from other websites.

This doesn't seem to be the case. So, is it case (b), where kineticgames.info is indeed a legitimate website, but have been compromised to serve malvertisements?

Seems reasonable, but only until we look at the other associated malicious domains. These are:

sahoreen.in (184.172.216.234, ASN 36351, US Dallas)
belygaur.in (184.172.216.234, ASN 36351, US Dallas)

These two domains were both created very recently, on the same day--July 7th, 2011. The whois records show the registrant to be "Piotr Poshkin," which resembles kineticgames.info's current "Vasiliy Pushkin." Furthermore, the phone number, street address, and zip codes are exactly the same as kineticgames.info's.

Kineticgames.info actually has a sister domain name: kinetic-games.com, registered on the same day last year (Aug 9th, 2010), and serving the same content. Both were initially registered under Bob Stevenson of Spain. Then, on July 14th and July 17th, 2011, kinetic-games.com and kineticgames.info were respectively transfered to the current contact (according to whois records) "Vasiliy Pushkin" of Russia.

Could it be, that it is the new owner, who is intentionally doing malvertising using these domains and the website, because the identity is seemingly legit?

Or could it be, that none of these matters, and that kineticgames.info simply have been hacked into and the attackers used it to submit malvertisement, and intentionally registered the malicious redirector domains sahoreen.in and belygaur.in to have whois records that resemble that of kineticgames.info?

Finally, two additional pieces of important information. First, according to Internet Archive (Wayback Machine), as of Jan 28th, 2011, kinetic-games.com had no actual website content--the owner was just registering the domain to sell as a premium domain:

Second, the website as of now, contains lots of vulnerabilities. It should be quite easy for someone to hack into both websites.

So what's the deal here?

We cannot make a conclusion right here. Perhaps the reader can help solve the puzzle?

[The Malware]

The malware pretends to be a crime-detection software from the Federal German Police. You can see in the screenshot above, it's using logo stolen from the real Federal German Police (Bundespolizei). It claims to have found child pornography along with other illegal content on the victim's computer. It claims that the victim's IP, OS, location, ISP, etc, have all been recorded, and locks down the computer completely, "to prevent further abuse."

A fine of 100 Euros must be paid within 24 hours to unlock the computer, or else all data will be deleted. We are in the process of informing all parties involved. This is our report.

This thread of ransomware has been around for a few months already, but improvements seen in this version include:

a) They now have an email "einzahlung@bundespol.net" that somewhat resembles the Federal German Police, who uses "@bundespolizei.de. The domain was registered through Bizcn.com, a registrar in China.

b) They now support two payment gateways, UKash and paysafecard.

Below is a translation of the text:

Attention!

Illegal operational activities have been detected. Based on laws of the Federal Republic of Germany, the system has been locked. The following legal violation has been detected: Your IP _______ was detected to have visited pages containing pornography, child pornography, bestiality and violence against children. At the same time, your computer has been identified to contain video files involving pornography, violence, and child pornography content! Furthermore, spam emails containing terrorism content were also sent from here. Your computer is therefore locked in order to eliminate the above illegal activities.

Your details:
IP, location, OS, ISP, etc.

In order to unlock this computer, you are obligated by law to pay a 100 Euro fine. You must make the payment within 24 hours. If payment has not been made within the allotted time, your hard disk will be irreversibly formatted.

1) Payment via Ukash:

To perform the transaction, please enter your purchased voucher code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.

2) Payment via paysafecard:

Please input the code into the payment textbox and press OK. In case of errors, you should email your code to einzahlung@bundespol.net.

8 comments:

Venom14 said...

The German used in the malwaretize is such a worse automatic translation that the creator cant be German at all. The text itself is OK but the title line seems so strange that I doubt that any German user would believe this ad.
It sounds more like "It is the illegal activity uncloaked". 
As German is a complex but very exact language and public services tend to use it in the most sophisticated way I suppose that Germans wouldn't fall into this trap. 

Wayne Huang said...

Thanks @955afeae206f1f49358652a8102fc19b:disqus . As we wrote int he post

Cheap Purses said...

I
have came to reading this feature thats its really informative.In my point of
view gender solicitation is good but we should not gender discriminate
Thanks. 

cheap domain registration said...

Amazing blog, I am regular visitor of this website, keep up the good work.

Admin said...

Nice blog. I will keep visiting this blog very often.

glyco-flex said...

Hello. It is very rare these days to find blogs that provide information
someone is looking for. I am glad to see that your blog share valued
information that can help to many readers. Thanks and keep writing!

actos drug lawsuits said...

It's quite interesting, I've ever quite understand this matter but now thanks to you I do. I can't wait to read more articles from you.

Anita Yang said...

Taiwan should be proud of Armorize! I think
Proofpoint made a brilliant decision, and together we'll become a shining star
in the world's fight against APT. For Armorize, this is our first homerun, and
there will be many more to come!

Post a Comment