Saturday, August 10, 2013

When Parked Domains Still Infect - and ZeroPark

Last night I was discussing the Kelihos botnet with some friends. There had been several previous attempts to “Kill Kelihos” and I decided to refresh myself on those. In doing so, I ran across the CrowdStrike listing of the “backup C&C domains” that were serviced by Fast Flux hosting in case the Kelihos node was unable to contact any Peer to Peer bots.

I decided to start by doing a status check on these domains. I was surprised that some of the domains were returning three IP addresses that were serving up the domain name. Here, for example, is what a "dig" revealed:

;                   IN      A

;; ANSWER SECTION:            120     IN      A            120     IN      A            120     IN      A
The list mentioned by CrowdStrike all had an active IP resolution, but I assumed they were most likely after such a long time part of somone's sinkhole. A sinkhole is a security researcher community technique of taking over a botnet's domain name so that any infected computers will report to the researcher rather than reporting to a criminal. This information can then be used to better document the botnet as well as being used to do clean up. I was pleased to see that SOME of the domains were sinkholed by friends. Others however, were more interesting. ( / / (  ( /  (  ( / / ( ( /
The grouping I focused on was the ( / / group, because getting three IP addresses back from a name query is sometimes an indication of Fast Flux. In this case, the three IP addresses are all hosted on Amazon's cloud.

At least 1600 other domain names are also hosted on this group of three IP addresses, which seems to have gone active as a trio somewhere about July 8, 2013. All of the domain names we noticed were either clearly "registered for abuse" names, in a variety of fraud categories from counterfeit luxury goods (,,, pharma spam domains (,,, pornography domains (,,, financial scams (,,,,, typo domains (,,,,,, tech-related scams (, or casino programs (

I've included a list of Dangerous Domains related to those three Amazon IPs. The point is that ALL of those domains sound like the kinds of things people may have complained about, and had someone "park" the domain or "suspend" the domain, which should stop big things from happening, right?


Many of these domains were registered at the Registrar "Internet.BS" which many researchers believe is a good name for a company that willingly registers so many domains for the criminals who spread so much BullShip on the internet. If you do a WHOIS query on any of the domains above, you will see a WHOIS record like this:

Domain Name:                                 TRXT.BIZ
Domain ID:                                   D50889714-BIZ
Sponsoring Registrar:                        INTERNET.BS CORP.
Sponsoring Registrar IANA ID:                814
Registrar URL (registration services):
Domain Status:                               clientTransferProhibited
Registrant ID:                               INTEDHXH6ZUE54VB
Registrant Name:                             Suspended Domain
Registrant Organization:                     Suspended by Registrar
Registrant Address1:                         98 Hampshire Street
Registrant Address2:                         Suspended domain
Registrant City:                             Nassau
Registrant Postal Code:                      4892
Registrant Country:                          Bahamas
Registrant Country Code:                     BS
Registrant Phone Number:                     +1.23456789
Registrant Email:                  
Name Server:                                 NS2.ZEROPARK.COM
Name Server:                                 NS3.ZEROPARK.COM
Name Server:                                 NS1.ZEROPARK.COM
Created by Registrar:                        INTERNET.BS CORP.
Last Updated by Registrar:                   INTERNET.BS CORP.
Domain Registration Date:                    Sat Jul 28 18:52:09 GMT 2012
Domain Expiration Date:                      Sat Jul 27 23:59:59 GMT 2013
Domain Last Updated Date:                    Mon May 13 19:30:34 GMT 2013, Let Me Infect You, and then Get Paid?

The big take-aways here are two things that ALL of the domains have in common:

The Registrant Email is ""

The Nameservers are "NS(1|2|3)"

Now, let's get into what happens if we VISIT one of these domains! First, ask yourself what you think SHOULD happen if you visit a "Suspended Domain?" Unfortunately what often happens is that you get sent to a website that makes money for the Registrar by showing you advertisements. But would you expect that it would infect you with malware?

I've been puzzling over what to do with this information for the past couple days. Unfortunately, there are at least three "variants" of malware that get installed when you visit, and the COOLEST of those variants, I have been unable to replicate. I start by visiting the "parked" domain associated with the old Kelihos C&C, redirects me to "" which then forwards me to "". This is consistent with the behavior I observed last night.

This warns me that I need to update my Flash Player:

Which takes me to an Install page:

Which prompts me to run a Setup.exe program:

This is our first piece of trouble. That file is detected by 6 of 45 Antivirus engines at VirusTotal as being malicious. It is called "AirInstaller" by those that detect it (Avast, Comodo, ESET-NOD32, Ikarus, Malwarebytes, VIPRE). Note that this is a DIFFERENT file than I received on August 8. I've run through this process at least a dozen times, and each received file has had a different MD5.

Running "setup.exe" SAYS it is running a Flash Installer for me:

But, the program crashes. How sad.

Why did it crash? Well, as soon as I started running the SETUP.EXE, I received a file from "" that my sandbox fetched using the user-agent "AirInstaller Detection RulesXML". This downloaded an XML file that is checking for the existence of various registry keys. The things it's checking for are interesting in themselves. In order, it looks for: Norton, Kaspersky, Windows Defender, Avast (3), AVG (5), NOD32 (2), PC Tools Spyware Doctor, AdAware (2), InstallIQ, McAfee (4), SiteAdvisor (3), Symantec (5), Windows Defender Enabled, Freeze Toolbar, Administrator, Not Administrator, StartNow in Path, Zugo, YontooLayers, ShopToWin, Babylon, Trend Micro Antivirus, enteo NetInstall, Lavasoft Adaware, DrWeb Antivirus, AniVir, Funmoods, Imininent64bit, Iminent32bit, IE6, 7, 8, 9, FireFox_Babylong, FireFox_Funmoods, Default Browser Chrome (or FireFox or IE), 50onRed (looking for Uninstall tags for things like RewardsArcade, TextEnhance, DropinSavings, VidSaver, IWantThis), Blekko Toolbar, Conduit Toolbar, ASK Toolbar, AVG Toolbar, Yahoo Toolbar, Wajam, YontooLayers, InfoAtoms, PCSpeedFix, Sendori, BlekkoMonti, and . . . a bunch more stuff. 373 "detect rule" tags in all.

(I've included a link to the AirInstaller Detection XML Rules here ... interesting reading ... note the large number of Lyrics sites and programs that are checked for, such as LyricsMonkey, LyricsPal, LyricsTube, AutoLyrics, AddLyrics, SingAlong, findlyrics, CoolLyrics, EZLyrics, GetLyrics, LyricsFan, LyricsOn, LyricsShout, M-Lyrics, Lyrmix, SuperLyrics, LyricsKid ... hmmm...a puzzle for another day.)

The wwwQwikster redirection has an interesting disclaimer regarding their so-called Flash Player Update: is distributing custom installers which are different from the originally available distribution. These new installers comply with the original software manufacturers’ policies and terms & conditions. These installers are install managers, which manages the installation of your chosen software. In addition to managing your download and installation, they will offer free popular software that you may be interested in. Additional software may include toolbars, browser add-ons, game applications, anti-virus applications, and other types of applications. You are not required to install any additional software to complete your installation of your selected software. You can always completely remove the programs at any time in Windows’ Add/Remove Programs.

The program this time was called "Flash Player 12.exe" and as before, VirusTotal detected this as "AirAdInstaller" with 6 of 45 detections, although this time it was a different MD5.

On August 10th, Ikarus is now naming the current "Flash Player 12.exe" "not-a-virus:AdWare.Win32.AirAdInstaller". Perhaps they would like to tell us why the malware claims to be installing Adobe Flash Player?

The FlashPlayer version is being dropped from:

The "sov" and "hid" values change every time the file is fetched. The "id=aRON-verid60" has been consistent.

An Odd Norton install

The third option for what gets installed starts with being told you need a new FLV player instead of the Flash Player. You get forwarded to "" where the file "FlvPlayerSetup.exe" is downloaded. GreatAppsDownload has an affiliate program where they reward people for forcing file downloads. Apparently our friends at ZeroPark are members.

I'm going to run through the series of screen shots that I took from that . . .

After clicking on ANY of the parked domains, there is a chance (I don't know the determining factors) that you will be redirected to

Note the exact same disclaimer language that we had on, saying that the Installers have been customized.

FlvPlayerSetup.exe downloads . . .

Claiming to be published by "Coolapptech"

The install wizard runs . . .

The install won't complete unless you load Flash Player. The link really does take you to Adobe.

At the end of the FLV Player Setup, we are offered a Free Norton Security Scan! Of course we said "Yes!"

It turns out that FLV Player is a trojaned version that also installs "Delta Search". Delta causes random phrases on your web pages to be underlined providing absolutely unrelated links if you click on them. Here we click the link for "Video Player" and get taken to an AOL CareerBuilder website.

This screen shows us that the Delta Search is actually forwarding us THROUGH "" where "affiliate=63051" is getting the credit for our referral to CareerBuilder.

The Norton System Scan SEEMS to be a legitimate product. It runs from this path:

"C:\Program Files\Norton Security Scan\Engine\\Nss.exe"

Ending with a visit to the Norton AntiVirus store (my exact URL, from August 10, 2013 at about 3:15 PM Central Time:

If I click one of the Buy Now links, the URL, listed below, may have some information about the Affiliate that would be useful to our Norton friends: