Video Screencast Help
Security Response

Downadup Motivations

Created: 23 Mar 2009 21:14:03 GMT • Updated: 23 Jan 2014 18:36:40 GMT
Eric Chien's picture
0 0 Votes
Login to vote

As the April 1 payload delivery date nears for W32.Downadup.C (also known as Conficker) speculation continues on whether the payload will be one big April Fool’s joke, or the equivalent of a cyber Pearl Harbor. While we can’t predict the future with certainty, we can look at the motivations of past Downadup variants to postulate that the payload will likely be something between the two extremes.

The first Downadup variant (.A) provides the best evidence of the motivations of the Downadup authors. In a similar fashion to the recent Downadup variant, Downadup.A had a payload delivery date after its initial release, on December 1, 2008. Downadup.A attempted to download its payload file from hxxp://trafficconverter.biz/4vir/antispyware/loadadv.exe. While Downadup.A was never able to download its payload because the payload site was shut down, the owner of the site trafficconverter.biz was heavily involved in pushing misleading applications (also known as rogue antispyware products) onto users’ machines. Misleading applications pretend to scan an affected computer for malicious threats and try to scare the user into believing their machine is infected, when in fact it is not, and to remove the non-existent threats they attempt to convince the user to cough up $50-$100 to buy the “software.”

The purpose of trafficconverter.biz (which is the same as traffic-converter.biz, and later, trafficconverter2.biz) was to recruit affiliates to help install misleading applications. In their own words:

"What is Traffic Converter?
Traffic Converter is affiliate program that helps webmasters to convert their traffic into cash.

How it works?
We are selling popular antispyware and security software products to surfers which you send to us. You receive $30 for each sale of our products.

Why does it work so good?
With our direct-marketing approach, aggressive promotion materials and advanced software products you can earn much more than with other affiliate or advertising programs."


By signing up with Traffic Converter, you would receive URLs that would download and install misleading applications such as XP AntiVirus. The owner of Traffic Converter owned and delivered these misleading applications through sister domains such as xpantivirus.com, antispyguard.com, antivirus2009online.com, and systemscanner2009.com. Previously, the majority of these sites were registered via Estdomains and Directi, both of which were well known for providing registrations for such sites. In turn, misleading applications, such as XP AntiVirus, appeared to be provided by another party known as Innovagest 2000, who has created a variety of similar clones as well such as AlfaCleaner and AntiMalware 2009.

With this history, the original motivations of Downadup appear pretty clear—to deliver misleading applications. However, the typical method of delivering misleading applications through Traffic Converter would happen through affiliates that would drive traffic to Traffic Converter through their own means, such as drive-by downloads, or exploits placed in advertisement rotations in advertisement networks. For the affiliate to get credit for their installation, they usually needed to provide a unique affiliate ID in the download or installation request. Some example URLs that delivered to Traffic Converter domains were:

hxxp://seamastersoft.com/soft.php?aid=0135&d-1&product=XPA&refer=3e6376a25
hxxp://onlineprivatescan.com/2009/1/freescan.php?id=880135
hxxp://traffic-converter.biz/s.php?nick=8801931355&group=880193&os=Windows

In each of the above examples, “aid,” “id,” and “nick” represent the affiliate who gets credit. These affiliates were making hundreds of thousands of dollars per month.

In the case of Downadup, however, the threat directly downloads an executable from the Traffic Converter domain as hxxp://trafficconverter.biz/4vir/antispyware/loadadv.exe without any affiliate parameter; possibly meaning that the owners of Traffic Converter, or a very close partner, are actually the people behind Downadup, rather than just an affiliate. Further, the directory “4vir” perhaps is short for “for virus,” referring to Downadup. Likewise, the additional directory “antispyware” just reconfirms the well-known fact that Traffic Converter is involved in misleading application downloads. As well, the filename itself was a commonly used filename by a previous group known as IFrameBiz and/or IFrameCash who provided similar pay-per-install services. Whether there is a connection to this previous group or the filename is just a coincidence isn’t entirely clear.

Soon after trafficconverter.biz disappeared, the owners came back with a new site, trafficconverter2.biz. However, after only a few days of operation, they again went down; this time claiming that their payment processor had blocked them and that they had no connection with Downadup. Such denial, when the finger is pointed at a rogue affiliate, is a common tactic used by those who are involved in pay-per-install schemes.

So, while we enjoy reading movie-plot scenarios of using Downadup to create a “Dark Google” to search for data on all infected computers, if the Downadup authors stick to their original intentions, the more likely scenario is that the authors will attempt to recoup on their investment via the installation of misleading applications or other pay-per-install applications such as adware. However, considering the amount of eyes now watching Downadup’s every move, we also can’t underestimate the chance that the authors may veer from their original motives.

 

 

 

 

 

 

 

 

 

 

 

 

 

Message Edited by Trevor Mack on 03-23-2009 02:23 PM