The fraudulent webpage encourages users to "download 128-bit Digital Certificate software and enjoy all Google Adwords services security", and features a large "Download now" button:
Thirty different email subject lines have been used so far:
Account Protection! Google Adwords Alert
Account Protection! Google Adwords is dedicated to protecting your privacy
Account Protection! Google Adwords pad lock and encryption features help to ensure you
Account Protection! Google Adwords Security and Identity Protection Newsletter
Account Protection! Google Adwords Security Update
Account Protection! Google Adwords Services
Account Protection! Google Adwords Services Contacts
Account Protection! How does Google Adwords protect my information?
Account Protection! How does Google Adwords protect my privacy and personal information?
Account Protection! Visit a Google Adwords Center
Account Protection! What is Google Adwords Security SSL?
Google Adwords - protect your account
Google Adwords Alert
Google Adwords Customer Service
Google Adwords fraud
Google Adwords Guards and Protects Your Information
Google Adwords is dedicated to protecting your privacy
Google Adwords pad lock and encryption features help to ensure you
Google Adwords Security
Google Adwords Security and Identity Protection Newsletter
Google Adwords Security News
Google Adwords Security Update
Google Adwords Services
Google Adwords Services Contacts
Google Adwords uses a wide variety of fraud
How does Google Adwords protect my information?
How does Google Adwords protect my privacy and personal information?
What is Google Adwords Security SSL?
Regardless of the subject, each email stresses the importance of having a 128-bit SSL security, and says that browsers which do not have it will not be able to login to Google Adwords after September 24th.
Here's one example:
Attention GOOGLE ADWORDS Customers!
For certain services, such as our advertising programs, we request 128-bit SSL security information which we maintain in encrypted form on secure servers.
We take appropriate security measures to protect against unauthorized access to our unauthorized alteration, disclosure or destruction of data.
Please download latest SSL protection certificate
Read more>>
Unprotected browsers will not be able to Log in after September 24, 2008
Sincerely, Jenna Hooper.
2008 Google Adwords, Developing new services
The name at the end has no meaning within Google, and in fact we have seen 299 unique names listed so far, so there is a very high likelihood they are being randomly generated.
So far there are five domain names associated with this attack (we've requested that Register.com shutdown the domains already):
adwrss.com
ggoocom.com
meyolev.com
mitroces.com
spaentri.com
The domains, which were all created on September 22nd, hide behind the "Domain Discrete" service which seems designed to protect criminals:
Example Registrant (adwrss.com):
Domain Discreet
ATTN: adwrss.com
Avenida do Infante 50
Funchal, Madeira 9004-521
PT
Email: 8b09659a0a141150016552e5e91485b1@domaindiscreet.com
The initial file which is downloaded is 6,144 bytes in size. This tiny file, which is only a "dropper" for the real malware proves the relationship between this and other recent digital certificate spam.
GoogleADwordscertSEtup.exe = MD5 54fc18040782d53c9dc7f8365fe26367
SPlusWachoviadigicert.exe = MD5 54fc18040782d53c9dc7f8365fe26367
This is NOT an exact match with last week's CareerBuilder malware, which was also 6,144 bytes, but had a different MD5 hash value, but which matched the recent RBC and SunTrust Bank certificates.
CertEmployersectorSSL.exe = MD5 1dee8e8c891727c0868aa9486165824d
RBCCer_509.exe = MD5 1dee8e8c891727c0868aa9486165824d
SSLSunTrustsetupclient6783492.exe = MD5 1dee8e8c891727c0868aa9486165824d
The Google Adwords malware will download an additional file, called "file.exe" which is the actual keylogger. This keylogger sends its stolen data to the Piradius Network in Malaysia. Admins are encouraged to report any traffic they see leaving their network headed to IP addresses on this block:
124.217.248/24
The current IP address is 124.217.248.174, but several IP addresses on this network receive stolen data for other keyloggers as well.
The Keylogger is "context sensitive". An analysis performed on the malware by UAB Student Brian Tanner indicates that it detects particular login events and sends the data using these patterns:
http://%s%s?user_id=%.4u&version_id=%s&passphrase=%s&socks=%lu&version=%lu&crc=%.8x
URL: sniffer_ftp_%s
ftp_server=%s&ftp_login=%s&ftp_pass=%s&version=%lu
URL: sniffer_pop3_%s
pop3_server=%s&pop3_login=%s&pop3_pass=%s
URL: sniffer_imap_%s
imap_server=%s&imap_login=%s&imap_pass=%s
URL: sniffer_icq_%s
icq_user=%s&icq_pass=%s
It is also known to steal "generic" login events for various webpage logins. A machine infected with this keylogger will basically send every type of login data to the criminals who are behind the scheme.
The malware is dropped with "rootkit" capabilities. This means that traditional Windows methods of detecting whether a file is present will fail. The malware uses some of the following filenames:
ntoskrnl.exe
trust.exe
9129837.exe
new_drv.sys <=== a key part of the Root Kit
As with previous versions of Digital Certificate malware, the web pages for these domain names are hosted via the Botnet which the malware creates. For example, at this moment, the IP addresses resolving for adwrss.com are:
116.127.169.178, <= Hanaro Telecom, Korea
121.125.52.212, <= Hanaro Telecom, Korea
121.137.245.201, <= KorNet, Korea
121.175.13.103 <= KorNet, Korea
220.88.91.61, <= KorNet, Korea
75.51.103.215, <= AT&T, Saginaw, Michigan
79.117.195.143, <= RDSNet, Romania
93.1.15.7, <= Groupe N9uf Cegetel, Paris France
99.140.183.32 <= AT&T, Chicago, Illinois
99.227.84.87 <= Rogers Cable, Canada
But this pool shifts every few minutes. Hundreds of machines are part of this "hosting botnet".