Icepol MDN - A Server Snapshot

Bitdefender researchers have gained access on September 26, 2013 to the disk images of a server network which was being used to distribute the ICEPOL trojan and to run pay per click campaigns. They have analyzed the software, hoping to glean insight into the malware distribution network.

A. Pay-per-click

The pay-per-click module, named tds (5.*.*.*: *-delivery.org) or tdsx(5.*.*.*: *network.com) simply redirects incoming traffic to a list of domains, presumably paying advertisers or other trojan distribution sites. The traffic is directed according to an administrator-set list of filter rules, such as country of origin, operating system, browser type or maximum number of clicks allowed. When the ‘unique’ rule is set, the server will only redirect traffic from a certain IP once. If certain conditions are not met, the server redirects traffic to Google or returns not_found. The server logs all redirects in a data base.

B. Registering malware distribution domains

The component is hosted on xstats.org (93.*.*.*:99) in a folder called xstats.biz (probably the previous domain). A PHPMyAdmin interface is accessible on port 6598.

Domains are auto-generated, on demand, by concatenating four words from a dictionary which contains 551 pornography-related words. The IP address of the new host is chosen from a list of 45 unique IP addresses. The new domain name is registered automatically by a script which connects to my.ultra*.ru with the user name *@gmail.com

C. Downloading and distributing malware

The distribution method suggests a pyramid scheme, as the analyzed server downloads files from the another domain but functions, itself, as a malware download location for sub-affiliates.

The component, named promo/promox, downloads malware to 5.*.*.* from soft*.biz.

Once downloaded, the malware is saved to disk in several copies, as an .exe or .zip file named movie1080p.mkv.exe, movie1080p.mkv.zip, Security _Update_12.exe, Security_Update_12.zip, Flash_Update_12.zip or Flash_Update_12.exe.

A download link is constructed using a registered domain and the local path to the malware binary. The link is then injected in one of a number of HTML templates – a fake porn site, a fake Flash Player update or a fake antivirus page, claiming to have found a huge number of infected files.

If certain conditions are not met, the server returns not_found or redirects visitors to Google.

An unused script named bpromo.php contains the IP 46.*.*.*, but as the server logs don’t reference this IP, it is probable that the script was never used.

In the logged timeframe (May 1 to September 26, 2013) the server had logged 267786 successful installs, most of them in the United States of America.

The Icepol ransomware adds itself to the Startup Registry key in order to ensure persistence after every reboot. As soon as the computer starts, the screen gets locked and displays a message in the user’s language, if the user is located in a country that speaks one of 25 languages. The message states that the computer got locked as suspicious activity (download of copyrighted material or of “illegal pornography”) was detected. Of course, the system can be unlocked by paying a ransom, euphemistically described as “fine”.

The amounts pilfered are also listed in the server logs, and amount to 158376 for the studied period, with the most money being scammed from the US (32176.78).