My Russian colleagues Aleksandr Matrosov and Eugene Rodionov report that recently a cybercrime group called “Ready to Ride” has attracted their attention, by distributing malware of the Win32/Cycbot family. This group started in the fall last year, judging from the domain name registration date – readytoride.su was registered on 8th September 2010.

Its primary activities were substitution (index hijacking) of search engine results (Google, Bing, Yahoo) and clickjacking (hijacking the user's mouse-clicks and routing them invisibly to another page).

(We've written previously about Win32/Glupteba (https://www.welivesecurity.com/2011/03/02/tdl4-and-glubteba-piggyback-piggybugs), which was another example of malware used to drive BlackHat SEO (Search Engine Optimization).)

Although the “Ready to Ride” group originated in Russia it distributes Win32/Cycbot outside the borders of the Russian Federation. Going by the price per installation (see Figure 1) the primary target of the group is the US.

 
Figure 1

Win32/Cybot is distributed using a well-known PPI (Pay Per Install) scheme. To download the malicious executable each partner uses the URL it has paid for, which generally looks like this:

hxxp://1231.readytoride.su/adv.php?login=[partner_name]&key=[partner_key]&subacc=[partner_id]

After the bot has been successfully activated it submits its current status to the C&C (Command and Control) server from which it gets its instructions (SEND_INSTALL_REPORT_TM):

id=[bot_id]&hwid=[hardware_id]&step=[status]&wd=[win_ver]&av=[av_name]

While collecting information about the infected system it determines what antivirus software (if any) is being used by looking for a corresponding process name. Here is the list of AV software which is captured by the malware:

Figure 2

The C&C URLs are hardcoded into the Win32/Cycbot executable and are updated when a new version of Win32/Cycbot is downloaded:

Figure 3 

The bot is able to:

  • download executables
  • create new processes or new threads in an existing process
  • terminate processes and threads
  • check bot status in case one of the components was shut down
  • click on the references on a web page
  • inject JavaScript into web pages, substituting references and modify html
  • delete executables and downloaded files when instructed by the C&C server.

By means of injecting java script, diverting web searches, and modifying HTML code it is able to pass itself off as a user surfing web pages, so as to counteract systems intended to block clickjacking.

It is worth mentioning that the bot modifies the settings of the most popular browsers (Internet Explorer, Opera, Firefox). For instance, it modifies the file prefs.js used by the Firefox web browser to contain browser settings and preferences. It adds information about which proxy server to use. Similarly, it sets up a proxy using the HTTP protocol (127.0.0.1:[port_number]) for other browsers. 

Figure 4

The bot’s central component dispatches tasks received from the C&C server to other components:

Figure 5

Win32/Cycbot is a multithreaded application and just a single instance of the bot can handle dozens of tasks, clicking advertisements or poisoning web searches. Here is an example of the bot’s network activity, captured over several minutes.

Figure 6

David Harley, Senior Research Fellow
Aleksandr Matrosov, Senior Malware Researcher
Eugene Rodionov, Malware Researcher