Research Saturday 8.18.18
Ep 49 | 8.18.18

Stealthy ad fraud campaign evades detection.


Dave Bittner: [00:00:00] Before we start today's Research Saturday show, a quick thank you to everyone for listening and for the positive feedback we've been getting, and also a reminder that we're always looking for interesting research to share. It doesn't cost anything to be a guest here on Research Saturday, so if you've got some work you'd like us to consider, head on over to our website, On the Research Saturday page, you'll find a call for interviews where you can tell us what you're up to. Thanks.

Dave Bittner: [00:00:30] Hello everyone, and welcome to The CyberWire's Research Saturday, presented by the Hewlett Foundation's Cyber Initiative. I'm Dave Bittner, and this is our weekly conversation with researchers and analysts tracking down threats and vulnerabilities, and solving some of the hard problems of protecting ourselves in a rapidly evolving cyberspace. Thanks for joining us.

Dave Bittner: [00:00:53] And now, a moment to tell you about our sponsor, the Hewlett Foundation's Cyber Initiative. While government and industry focus on the latest cyber threats, we still need more institutions and individuals who take a longer view. They're the people who are helping to create the norms and policies that will keep us all safe in cyberspace. The Cyber Initiative supports a cyber policy field that offers thoughtful solutions to complex challenges for the benefit of societies around the world. Learn more at

Dave Bittner: [00:01:28] And thanks also to our sponsor, Enveil, whose revolutionary ZeroReveal solution closes the last gap in data security: protecting data in use. It's the industry's first and only scalable commercial solution enabling data to remain encrypted throughout the entire processing lifecycle. Imagine being able to analyze, search, and perform calculations on sensitive data, all without ever decrypting anything. All without the risks of theft or inadvertent exposure. What was once only theoretical is now possible with Enveil. Learn more at

Bogdan Botezatu: [00:02:09] Well, we identified Zacinlo a little bit earlier last year. I think it was mid-year.

Dave Bittner: [00:02:15] That's Bogdan Botezatu from BitDefender. He's a Senior Research Analyst, and the research we're discussing today is titled "Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation."

Bogdan Botezatu: [00:02:28] Well, we were looking for some samples that looked to be a rootkit. That's what we were after. So we were looking through our malware zoo, looking for similar samples to other kits we had under the microscope, and we realized that we had some samples for quite a while that we didn't look at. So, when we opened them up, we realized that they had not been documented before.

Dave Bittner: [00:02:53] I see.

Bogdan Botezatu: [00:02:53] It took us about a year to carry this research, because of the sheer complexity of the malware.

Dave Bittner: [00:02:59] Yeah, and it is a complex bit of malware. So, let's begin at the beginning here. Walk us through what's going on here, and how does one find themselves infected?

Bogdan Botezatu: [00:03:09] The initial attack avenue looks to be a fake VPN solution that a user downloads hoping to have their web traffic shielded from snooping. However, under the fake interface, there's nothing that provides a VPN service, but rather a complex downloader that brings all these components to the user's computer, and then starts mining for ads and clicking discretionarily on these ads.

Dave Bittner: [00:03:37] So there isn't actually a real VPN running, it's just a fake interface.

Bogdan Botezatu: [00:03:42] Exactly. And what we saw in our telemetry is that it mostly affects United States customers, along with several other countries. We presume that this VPN application has been advertised. Hackers have kind of created some marketing campaigns around them, maybe some landing pages, maybe they bought some advertising leading people to these downloads, maybe some social media advertising, and so on. Because the malware is strictly spread across several countries, while other countries do not see any traces of this incident.

Dave Bittner: [00:04:15] Interesting. Well, let's walk through it step by step here. So someone, they install what they think is this VPN software, and that's when the malware kicks into gear? What happens?

Bogdan Botezatu: [00:04:27] The malware brings some extra components on the system, some of them being related to displaying ads, and some of them being related to cloaking the malware from the operating system, or from the antivirus itself. And this was the part that actually caught our attention, because there are several families of advertising fraud bots spread across the Internet, but none of them seems to be as resilient or as difficult to remove as this family of malware.

Bogdan Botezatu: [00:05:00] This is something that you don't see often when working in cybersecurity. Rootkit-based malware is still under one percent of the global amount of infections we see. That's why we treat it as a special day when we see rootkit-based malware working on Windows 10, for instance.

Dave Bittner: [00:05:19] And it does focus on Windows 10, so once it gets installed, what happens next?

Bogdan Botezatu: [00:05:25] The user will have no idea what's happening, because the malware is very, very optimized for silence. Unlike crypto-ransomware, for instance, which displays immediate signs of infection, this piece of malware can only produce money for its owners for as long as it runs on the computer. So the longer the detection timeframe, the more money it's able to make for the bad guys. It stays silent and undetected. It does a security sweep of your computer to see if you are infected with other malware or not. If it finds competing adware products on the computer, it will try to uninstall them in order to make sure that it gets the most attention.

Bogdan Botezatu: [00:06:05] And by the most attention, I mean that it redirects all the computing power towards what it's instructed to do. It opens up browsers in invisible windows, and it starts loading the hacker's ads inside. It has a very nice feature because it mimics user behavior. In those invisible browsers, it displays content along with the hackers ads, and it mimics like there's a human person looking at the browser's window. It scrolls up, down, it underlines words, and so on, in order to trick the machine learning algorithms trained to spot fraud. It impersonates basically the human's behavior to trick the advertisers' antifraud detection mechanisms into thinking that that's legitimate behavior coming from the user. Of course, it clicks on those ads from time to time, and each click on the ad gets it a cut of the commission.

Dave Bittner: [00:07:00] So that's how they're making money, is by generating these artificial clickthroughs?

Bogdan Botezatu: [00:07:06] Yes, this behavior is called advertising click fraud, and it has been around for a while. But the Zacinlo malware takes it to a whole new level. It's much more sophisticated, it's extremely configurable, and this is what made it last for so long. The malware has operated for the past six years undetected.

Bogdan Botezatu: [00:07:27] Even if security solutions at some point might have caught it, it didn't draw enough attention to warrant a full review of the malware. So, maybe it was mistaken as a generic Trojan, or maybe it was labeled as a traditional ad fraud abuser. But what's inside of Zacinlo is basically a technological goldmine. It can conceal itself from the operating system. It can impact the antivirus' operation on that machine. It looks for specific processes and tries to kill them in order to stay undetected.

Bogdan Botezatu: [00:08:02] Most likely it is very effective, because judging by the number of updates we've seen--more than 2,500 updates in the past six years--this operation requires heavy maintenance, and hackers have put a lot of effort into improving it, into maintaining it, making sure that it's tested and it works great. So they have some sort of quality assurance processes. Maintaining this kind of malware is expensive, so probably they're getting a lot of revenue by just operating them to justify the effort.

Dave Bittner: [00:08:35] And I suppose they may be investing in advertising this fake VPN, so they may be putting some money out there as well.

Bogdan Botezatu: [00:08:43] Yes. In the business world, in the real business world, you have to fork out money to make money. And this happens to the cybercrime ecosystem as well. More and more cyber criminal groups actually operate like businesses. For instance, they advertise themselves, or they invest a lot of money in adding high quality translations for ransomware, for instance, that goes international, and it has to be localized into the user's native language to maximize their revenue, and so on. So yes, I think that there's a lot of effort cyber criminals have put into developing, maintaining, and advertising this strain of malware.

Dave Bittner: [00:09:22] Now, this malware has some fairly sophisticated methods for maintaining persistence. Can you take us through what's going on there?

Bogdan Botezatu: [00:09:30] Yes, the first thing that's noticeable is the way the rootkit protects the entire malware and its files. It's the first step towards persistence, because just by shielding it with such an advanced technology, the antivirus solution cannot detect and block any of its components.

Bogdan Botezatu: [00:09:47] Secondly, in order to minimize the noise, the malware makes a lot of use of the Windows Registry to store configuration files, to store binary files, and to make sure that there's no file left, you know, when the reboot or shut down operation is initiated. It dissolves itself by overwriting all the files with zeroes. So, in case of a forensic analysis between restarts for instance, there's no traces left behind for a security company, for instance, to analyze. This is quite an advanced job that we rarely see in commercial deployments of malware.

Dave Bittner: [00:10:26] So, it's loading itself into RAM when the system boots, and then operating, and then on shutdown it scrubs the files that it loaded from, and then rewrites random files. Am I following you correctly there?

Bogdan Botezatu: [00:10:40] Yes, exactly. It creates new files in new locations in order to perpetuate this infection. So even if you knew the previous locations where the malware hides its files, after a new restart most of the files were relocated somewhere else. It gives the security solution a run for its money while its operating.

Dave Bittner: [00:11:01] And how does it go about evading antivirus and other security solutions?

Bogdan Botezatu: [00:11:06] The first thing that the malware does is looking for processes that are known to be associated with security solutions. It looks inside the processes memory for strings that might give away the fact that there is a security solution. Secondly, it looks at the digital certificates of the processes running into the memory, and looking for known vendors of security solutions. And, because it has tremendous access to the operating system's kernel, the malware can actually shut the security solution down, or at least cripple several of its processes in order to make sure that the antimalware solution does not run a scan on those files.

Dave Bittner: [00:11:48] Now, what is going on in terms of communications with the command-and-control server?

Bogdan Botezatu: [00:11:53] The communication with the command-and-control server is extremely complex. The malware has several components that talk to the command-and-control center trying to get new campaigns and making sure that the bots installed on the computer are running the latest version available, and they download the new versions if the bots are outdated.

Bogdan Botezatu: [00:12:14] There is also an extremely well-written framework that acts as a downloader to minimize the noise it creates on the computer. It uses a scripting language that's called Lua, which is not the go-to tool for writing these kind of updaters, just to make sure that it doesn't look suspicious to the antivirus when it downloads files from the command-and-control center. It also reports to the command-and-control center the user's configuration on some machine specific things, and the operating system the user installs.

Bogdan Botezatu: [00:12:51] Additionally, it also sends screenshots to the command-and-control center. This is extremely unusual for a piece of aggressive adware. It's more accustomed to banking Trojans or to advanced persistent threats. But we presume that it's not intended for data exfiltration, but rather to make sure that the malware does not crash. By sending screenshots every several minutes to the command-and-control center, the malware tells the crooks that there are no browser windows visible that shouldn't be visible, that the malware does not generate errors, that there's no security solution installed and blinking all the bright lights red on the victim's computer, and so on.

Bogdan Botezatu: [00:13:33] And the last part of the command-and-control center handles the way ads get delivered. These hackers have put up a very interesting mechanism that updates the advertising campaigns in real time. The command-and-control center sends what ads should be displayed and clicked by the malware, and it also sends the publisher IDs that should get the revenue for these clickthroughs. So, hackers have some sort of a failback mechanism. If one of the advertiser IDs get blocked for abuse, they will send different advertiser IDs to cash the money.

Dave Bittner: [00:14:12] Now, given the sophistication of what's going on here, what are your notions in terms of attribution? Do you have any sense for who's behind this?

Bogdan Botezatu: [00:14:21] It's very difficult to tell. Because it targets a wide range of geographies from the United States to Indonesia, it's very hard to tell who is behind it. Secondly, this is a commercial threat, so it doesn't use or reuse techniques or tactics that we have seen in the past used in advanced persistent threats or in different malware families. It looks like it's a standalone operation that is operated by somebody who didn't have any contact or didn't have any previous operations that we know of. That's the beauty of advertising fraud. These guys can be pretty much anywhere in the world and targeting different countries. So it's very difficult to attribute it to a specific actor or to a specific country.

Dave Bittner: [00:15:07] So, what are your recommendations in terms of people protecting themselves against this?

Bogdan Botezatu: [00:15:11] First and foremost, good protection starts with good prevention. The first and most effective way of staying safe is having a security solution that's able to intercept that fake VPN installer in the first place.

Bogdan Botezatu: [00:15:25] Secondly, when it comes to this specific attack, a rootkit-based piece of malware can compromise the system and the antivirus running on top of it, so its very difficult to remove it unless you either format the computer and install a new operating system from scratch, or you use a live CD to boot a security solution in rescue mode and run a system scan outside of the operating system. The operating system will lie to the antivirus and to the user as to whether it's infected or not. Because that's the mission of the rootkit: to conceal the infection from the security solution and from the user. That's why we highly recommend that the users get a bootable USB drive or a live CD, if they have a CD slot on their machines, and boot from that live CD or USB drive to initiate a scan.

Dave Bittner: [00:16:22] Now, is there an easy way for someone to check to see if they're infected by this?

Bogdan Botezatu: [00:16:27] The only way that would work one-hundred percent is to use a live CD. By initiating a scan from inside the operating system, you wouldn't get accurate results. But be aware that whenever your antivirus behaves erratically, or your computer is sluggish, this could be a telltale sign of infection. So, if you have any doubts, you should run a live CD. Some antivirus solutions have the option of reboot into a rescue mode from the user interface. So there's no need to burn a CD or create a USB installer if your antivirus solution supports booting into a rescue mode.

Dave Bittner: [00:17:05] Now, what is your sense for how widespread this is, and are there, is it hitting specific types of systems, and are other types of systems not at risk?

Bogdan Botezatu: [00:17:14] We have seen it working on most modern operating systems. Oddly enough, all of the reports show that most of the victims run Windows 10, Windows 8, Windows 8.1, or Windows 7. We don't have one single victim that runs Windows XP, for instance. Normally, you would expect these kinds of threats to affect obsolete operating systems or unsupported operating systems. It's a good sign that hackers are riding on the adoption wave of modern operating systems, and they are developing with the new platforms in mind. So, they're aligning their creations to the newest operating systems to make sure that they make the most of the new systems.

Bogdan Botezatu: [00:17:55] Also, most likely, whoever's got Windows 10 installed on their computer, chances are that they have a very new and very powerful computer, that has much more resources that can be redirected to advertising frauds than other people running Windows XP, for instance.

Dave Bittner: [00:18:18] Our thanks to Bogdan Botezatu from BitDefender for joining us. The research is titled "Six Years and Counting: Inside the Complex Zacinlo Ad Fraud Operation." We'll have a link to it in our show notes. You can also find it on the BitDefender website.

Dave Bittner: [00:18:35] Thanks to the Hewlett Foundation's Cyber Initiative for sponsoring our show. You can learn more about them at

Dave Bittner: [00:18:43] And thanks to Enveil for their sponsorship. You can find out how they're closing the last gap in data security at

Dave Bittner: [00:18:51] The CyberWire Research Saturday is proudly produced in Maryland, out of the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technology. The coordinating producer is Jennifer Eiben, editor is John Petrik, technical editor is Chris Russell, executive editor is Peter Kilpe, and I'm Dave Bittner. Thanks for listening.