Studying

 the  GR  Botnet  

David  Y.  Wang  

University  of  California  San  Diego  
 About  Me  
•  4th  –  5th  year  PhD  student  in  CSE  Dept  
•  Advised  by  Geoff  Voelker  +  Stefan  Savage  
•  Majority  of  my  research  is  related  to  abuse  on  
the  Web  (i.e.  black  hat  SEO,  Web  spam,  drive  
by  downloads,  etc)  
•  This  talk  is  mostly  on  the  research  I’ve  done  
here  the  past  couple  of  years  
What  is  Google  Search  Poisoning?  

3  
Bethenny  Frankel?  

4  
 Background  
•  A Search Engine Optimization campaign is
a large scale, coordinated effort to obtain
user traffic through underhanded means
–  Supported by botnet of compromised sites
–  Manipulate search results
–  Feed traffic to scams (e.g. fake antivirus)

5  
 (1)"

Attacker"

Doorway! (5)" Scams"

GET ! GET !
/index.html! /index.html!
(2)"

(4)"

(3)"

“volcano”!
Search Engine"
Web Crawler"
User" 6  
 SEO  Kit  
•  An  SEO  kit  is  soYware  installed  on  
compromised  sites  
–  Allows  backdoor  access  for  botmaster  
–  Performs  Black  Hat  SEO  (i.e.  cloaking,  content  
genera[on,  user  redirec[on)  
–  Typically  they  are  obfuscated  
<?php   <?php  
if(!func[on_exists('cm4y2wui5w153'))   //  Общее  
{   define("GR_CACHE_ID",  "v8_cache");  
 func[on  cm4y2wui5w153($smcx) define("GR_SCRIPT_VERSION",  "v8.0  
 {$dix5xk='x);';…   (28.02.2012)");  
}   ?>  
7  
?>  
 Anecdote  
•  Obtained  a  copy  of  the  SEO  kit  by  contac[ng  
owners  of  compromised  sites  
–  Roughly  40  a%empts  
–  A  handful  were  willing  to  help  
–  But,  only  1  person  was  tech  savvy  enough  to  clean  
their  site  and  send  us  a  copy  of  the  SEO  kit  
•  Open  challenge  is  to  find  site  owners  that  are  
both  willing  and  able  to  help  

8  
 GR  Botnet  Architecture  
•  The  GR  Botnet  is  built  using  pull  mechanisms  
and  is  comprised  of  3  types  of  hosts:  
–  Compromised  Web  Sites  act  as  doorways  for  
visitors  and  control  which  content  is  returned  to  
the  user  
–  The  Directory  Server’s  only  role  is  to  return  the  
loca[on  of  the  C&C  Server  
–  The  C&C  Server  acts  as  a  centralized  content  
server  for  the  Botmaster  

9  
 Example  of  User  Visit  

Directory CNC"
Server" Server"

Compromised Web Sites"

HTTP GET index.html!
User  requests  a  
page  from  a  
compromised  site  
10  
 Example  of  User  Visit  
Compromised  site  
looks  up  loca[on  
of  CNC  Server   Directory Where  is  tCNC"
he  
Server" CNC?  
Server"

Compromised Web Sites"

11  
 Example  of  User  Visit  
Compromised  site  
looks  up  loca[on  
of  CNC  Server   Directory
The  CNC  is  @CNC"
 
Server" 1.2.3.4   Server"

Compromised Web Sites"

12  
Example  of  User  Visit  
Compromised  site  
fetches  content  to  
What  should  I  
Directory return  to  user  
return  to  the   CNC"
Server"
user?   Server" from  CNC  Server  

Compromised Web Sites"

13  
Example  of  User  Visit  
Compromised  site  
Here  are  some   fetches  content  to  
scams  for  the  
Directory user   return  to  user  
CNC"
Server" Server" from  CNC  Server  

Compromised Web Sites"

14  
 Example  of  User  Visit  

Directory CNC"
Server" Server"

Compromised Web Sites"

User  is  redirected  

to  scams  
15  
 (Some)  Results  
•  With  the  SEO  Kit  we  could:  
–  Pull  down  links  to  the  Web  sites  that  comprise  the  
botnet  for  crawling  
–  Interact  w/  nodes  of  the  of  the  botnet  to  confirm  
their  membership  
•  Eventually  when  GR  became  inac[ve,  we  
setup  a  sinkhole  to  pose  as  the  Directory  
Server  to  collect  data  on  sites  

16  
 GR  Infrastructure  
•  GR  is  modest  in  size  
sum

1000
# Compromised Web Sites
mac
oem

compared  with  other  

v7

800
v8

600
botnets  

400
•  There  is  li%le  churn  

200
besides  during  version  

0
updates   Nov 11 Jan 12 Mar 12

Date
May 12 Jul 12

•  These  sites  are   # Sanitized Sites

600

500

compromised  for  at   400

300

least  months   200

100

<1 1−2 2−3 3−4 4−5 5−6 6−7 7−8 >8 *

# Months 17  
 (Some)  Conclusions  
•  SEO  botnets  differ  significantly  from  email  
spamming  botnets  
•  Need  mul[ple  POVs  to  be  comprehensive  
•  The  GR  botmaster  appears  to  have  given  up  
aYer  the  decline  of  fake  av  (the  killer  scam)