Xpaj Botnet Intercepts up to 87 Million Searches per Year

W32.Xpaj.B is one of the most complex and sophisticated file infectors Symantec has encountered. In an older blog post, Piotr Krysiuk calls it an “upper crust file infector.” He describes several different approaches that the infector uses to increase the difficulty in detecting infected samples. The techniques W32.Xpaj.B uses to conceal itself within an executable are far beyond the norm. Given this level of complexity, it was decided to analyze the threat in detail.

The analysis revealed IP addresses for the command & control (C&C) servers. Infected W32.Xpaj.B executables send a download request to these C&C servers. Analysis of the threat’s backend control infrastructure revealed more than just the data sent from the server to infected clients. The servers contained encrypted binary data, encryption keys, databases, and Web applications. These were all elements of what transpired to be a fraud operation spread over multiple computers hosted in several countries.

Reverse engineering the binary data, in conjunction with analyzing the Web applications, has built up a picture of a convoluted click-fraud scheme. The intricate details of how the fraud was implemented are fully described in the associated technical paper, W32.Xpaj.B: Making easy money from complex code [PDF]. An overview is presented here along with details of how widespread the threat was and how much money was earned.
 

How the scam works

W32.Xpaj.B is used as a first-stage downloader. W32.Xpaj.B initially gains access to a computer and subsequently spreads through this computer and shared drives, infecting files as it goes. It then downloads encrypted binary data, as previously mentioned.


 
Figure 1: Initial download from Xpaj client.

Once this binary data is executed, the threat continues to monitor Internet traffic with the intention of intercepting any searches or clicks performed by a user. The intercepted data is sent to the C&C server, which responds with a Web address that is actually an advertisement. Ultimately, the user is redirected to an advertisement against their wishes, which results in the fraudster getting paid by the advertiser for obtaining the click.

The actual process is more convoluted than this brief description, as is demonstrated by the number of steps in Figure 2. (The technical whitepaper breaks the process into stages and explains it more clearly.)


 
Figure 2: The threat process. (Full explanation in the whitepaper.)
 

The infrastructure behind the scam

Examination of several automated scripts running on the server, as well as encryption key names, has revealed a map of the infrastructure spread across multiple countries. Some of the servers involved served as first-level C&C servers. They received clicks and searches as described, and stored a record of all clicks in log files. Every 12 hours, these logs were copied to a central server. The central server then processed the log files, extracting the number of searches, clicks, and the amount earned per click. This data was stored in a database. The database effectively acted as the “accountant” behind the operation. Since the database credentials were stored in some Web application configuration data, access to the database was trivial. Complete statistics for the scheme could be examined.


 
Figure 3: The threat infrastructure.
 

Earnings

The amount of money earned in a click-fraud scheme depends on the number of infected clients and the number of searches and clicks performed by the infected clients. Although the count of infected clients is not stored in the database, the database server still stored the log files that had been uploaded from the C&C server. Processing these log files gave a record of the number of unique connections per day. The stored data ran from September 27, 2010, to June 27, 2011.


 
Figure 4: Unique connections per day.

The number of compromised computers is modest, at least in terms of botnet sizes (figure 4). The maximum number of connections per day is approximately 25,000 and is tapering off over time. The average number of connections per day is 11,100.


 
Figure 5: Clicks and searches over time.

The average of 11,100 connections per day results in an average of 241,000 searches per day, as shown in figure 5. That’s quite a bit of traffic, which explains the need for the distributed network topology observed. If these results are multiplied out over 365 days, the botnet could receive approximately 87 million searches in a year. Actual earnings can be retrieved from the database and are shown in figure 6.


 
Figure 6: Earnings in $USD over time.

During the given time range, the scheme grossed approximately $46,000 USD for the person(s) running the scam. The maximum earnings per day were $450 USD, with an average of £170 USD per day. At $170 per day, that’s a potential earning of $62,000 per year. (Tax free!)

Thanks to some IRC connection logs that were present on one of the servers, it is possible to hazard some guesses about the identity of the person or persons behind the scam. Read about these and other details in the associated W32.Xpaj.B whitepaper, which can be downloaded here. Symantec is working with the relevant hosting providers and other security vendors to ensure that this malicious infrastructure is shut down.