Tuesday, April 14, 2009

Conficker's Scareware/Fake Security Software Business Model

It doesn't take a rocket scientist to conclude that sooner or later the people behind the Conficker botnet had to switch to monetization phase, and start earning revenue by using well proven business models within the cybercrime ecosystem.

Interestingly -- at least for the time being -- there's no indication of mainstream advertising propositions offering partitioned pieces of the botnet, managed fast-fluxing services (Managed Fast Flux Provider; Managed Fast Flux Provider - Part Two), hosting of scams and spam, examples of which we've already seen related cases where a money mule recruitment agency was using ASProx's fast-flux network services, next to Srizbi's botnet managed spam service propositions.

How come? Pretty simple, starting from the fact that scareware/fake security software as a monetization process remains the most liquid and efficiently monetized asset the underground economy has at its disposal. The scheme is so efficient that the money circulating within the affiliate networks are often an easy way for cybercriminals to quickly money launder large amounts of money in a typical win-win revenue sharing scheme.

The Conficker gang is monetization-aware, that's for sure. But they forget a simple fact - that in a cybercrime ecosystem visibility is not just proportional with decreased OPSEC (Violating OPSEC for Increasing the Probability of Malware Infection), but also, that despite their risk-decreasing revenue sharing model, the "follow the money trail" practice becomes more and more relevant.

The most recent variant (Net-Worm.Win32.Kido.js) is the group's second attempt to monetize the botnet, following by the original Conficker variant's traffic converter connection pushing fake security software. According to Aleks Gostev at Kaspersky Labs:

"One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also tried to download fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick. The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009.com."

Regular researchers/law enforcement followers of the Diverse Portfolio of Fake Security Software series are pretty familiar with the SpywareProtect brand. Therefore, it's time to familiarize ourselves with the rogue SpywareProtect through the revenue earning scheme the latest Conficker variant is using. Among the currently active/recently registered SpywareProtect portfolios are managed by Geraldevich Viktus Email: krutoymen2009@inbox.ru and conveniently just like Kaspersky states, are all parked in Ukraine.

In case you remember according to SRI International's Analysis of the Conficker worm, the authors did signal a national preference since the first release "randomly generates IP addresses to search for additional victims, filtering Ukraine IPs based on the GeoIP database." and also "Conficker A incorporates a Ukraine-avoidance routine that causes the process to suicide if the keyboard language layout has been set to Ukrainian." followed by a third Ukrainian lead, namely the fact that "on 27 December 2008 we stumbled upon two highly suspicious connection attempts that might link us to the malware authors.  Specifically,  we observed two Conficker B URL requests sent to a Conficker A Internet rendezvous point: * Connection 1: 81.23.XX.XX - Kyivstar.net, Kiev, Ukraine; Connection 2: 200.68.XX.XXX - Alternativagratis.com, Buenos Aires, Argentina."

SpywareProtect's current portfolio is hosted in Ukraine as follows:
spy-wareprotector2009 .com ( Ukraine Bastion Trade Group, AS48841, EUROHOST-AS Eurohost LLC
spyware-protector-2009 .com
spy-protect-2009 .com
spywprotect .com

The second portfolio is also parked in Ukraine as follows:
sysguard2009 .com ( AS34187, RENOME-AS Renome-Service: Joint Multimedia Cable Network Odessa, Ukraine
swp2009 .com
spwrpr2009 .com
alsterstore .com
adwareguard .net

In a typical multitasking fashion, a connection between some of these very latest SpywareProtect portfolios (e.g spywrprotect-2009 .com) can be established with Zeus crimeware campaigns, since particular droppers have been known to have been installing the scareware next to Zeus crimeware used to be hosted at the following locations:

capitalex .ws/adv.bin (
cashtor .net/tor22/tor.bin (
goldarea .biz/adv.bin (

It's also worth pointing out that every time the Conficker authors claim their payments from the affiliate network in question, they expose themselves which makes me wonder one thing. Are the hardcore Conficker authors directly earning revenue out of the scareware, or are they basically partitioning the botnet and selling it to someone who's monetizing it and naturally breaking-even out of their investment?

In a network whose activities will inevitably start converging with the rest of the cybercrime ecosystem's participants' activities -- the Waledac connection -- it's crucual to keep the track-down-and-prosecute process as simple as possible. In this case - the Conficker authors'/customers of their botnet services asset liquidity obsession, may easily end up in someone's $250k reward claim. Patience is a virtue.