Endpoint Protection

How to Prevent Buying a Fake Jeep - Trojan.Bayrob 

03-05-2008 12:07 AM

We have previously discussed Trojan.Bayrob without describing theentire attack from end to end. This article will show how the entirescam works from initial contact right through to the actual sale.Security experts at eBay are already well aware of it and working toprotect their customers.

Tip: It should be noted from the outset thatpotential buyers should read safety tips and follow preventativemeasures provided by their service provider.

To start with, take a look at this video for a walk-through of our analysis:

In order to attract potential victims the scammers first list carsfor sale on various auction sites. These auctions are not scams per se,but they are "legit" auctions that are used solely to attract potentialvictims—whoever asks a question or bids on these auctions becomes apotential victim. Once these auctions have expired the scammers get towork emailing each potential victim. These emails explain that thewinner of the original auction was unable to pay, so the car has beenre-listed on the auction. This email also contains a copy of the Trojandisguised as more pictures of the car for sale. The text of this emailis shown below:

(Click for larger image)

Tip: Computer users should always use caution whenopening email attachments, even if the attachment has been sent bysomeone they know.

When the attachment to this initial email is opened, it showspictures of the car for sale and also silently drops and executes theTrojan. The Trojan connects to various Bayrob servers to receiveconfiguration data and to notify the Bayrob controllers that the Trojanhas been run. The Bayrob controllers do not continue with the scam ofthat particular user until they have received notification from theTrojan that it is installed and working correctly on the user'smachine. The Trojan also contacts the sites geobytes.com andwhatsmyip.com in order to determine the buyer's location. This is doneso that the scammers can ensure that the car they offer is not locatednear the buyer. This guarantees that the buyer cannot offer to visitthe seller to view the car. Once the Bayrob controllers can confirmboth the buyers location and that the Trojan has been executed, theysend a new email to the buyer with details of how to view the newauction. Again the text of this email is shown below:

(Click for larger image)

Tip: Computer users should also use caution whenopening links that are found inside emails, even if the email is fromsomeone they know.

At this stage the buyer is infected with Trojan.Bayrob and theTrojan is intercepting all Internet traffic from the buyers machine.[1]The Trojan watches for the specific item number from the email aboveand when it sees that the user is trying to view a page related to thatitem number it shows a fake auction page instead. Shown below is a fakeauction, as viewed from an infected computer:

(Click for larger image)

However, viewing this item number on the auction site from a non-infected machine confirms that there is in fact no such auction:

(Click for larger image)

Not only does the Trojan show a fake auction, it is also able toshow fake feedback for the alleged seller too. When viewed from theinfected machine the feedback page for the auction user "brown44j"showed that the user has a feedback rating of 13:

(Click for larger image)

However, when viewed from a non-infected machine this users feedbackrating was shown to be only 1! Not only that, the user couldn’tpossibly be auctioning a Jeep since he is “no longer a registered user”anyway:

(Click for larger image)

Using a non-infected machine, we visited the link for “Items forsale” for this user. The resulting page confirmed that the user is notselling any Jeeps at the moment:

(Click for larger image)

Once this Trojan is running it can present any content it chooses asif it came from the auction site, when in fact it was received from theBayrob control servers instead. The scammers previously mentioned inthe email conversation that they had included a carfax.com report inthe auction listing. From previous analysis of this Trojan it was shownthat this Trojan is capable of intercepting traffic destined forcarfax.com. A screen shot of the fake carfax.com page is shown below.

(Click for larger image)

Viewing a report for the corresponding vehicle identification numberon carfax.com from a non-infected machine prompted the user to sign inor register instead. The Trojan is also capable of intercepting pagerequests for autocheck.com and presenting fake pages in their place.When this site was visited from an infected machine a “page notavailable” message was shown. Of course viewing autocheck.com from aclean machine we confirmed that autocheck.com is in fact available andserving pages. Perhaps the Trojan is having problems presenting fakepages from autocheck.com at the moment so it blocks access to the siteinstead.

Since this Jeep doesn’t actually exist and the auction isn’t reallyon the auction site the Jeep in question was bought using the fake “Buyit Now” button. A payment page was then presented:

(Click for larger image)

This is similar to the page shown when a legitimate auction has beencompleted. On the infected machine the Jeep was also listed in the“Items won” section:

(Click for larger image)

It is amazing how similar this is to what would be observed after areal auction had been completed. Clicking on any of the links relatingto this auction leads to fake pages showing not just fake information,but consistent fake information.

Of course when the account was viewed from a non-infected machine there were no items listed in the “Items won” section:

(Click for larger image)

The Trojan is also capable of presenting fake pages from escrow.comand ups.com; however, this part of the scam was not tested as it wouldrequire actually paying for this non existent car! Having seen how theTrojan works, we feel that you can draw your own conclusion about whatfake information would be shown in place of those real pages. Once thisTrojan is running on your machine it is impossible to trust any Webpage that you are viewing.

After the auction was completed, a page with the details of who tosend the money to was presented. The money was to be sent to a bankaccount in Phoenix, Arizona. This would no doubt be the account of amoney mule. These money mules then withdraw the money from theiraccounts and forward it anonymously to the real scammers (who are mostlikely not even in the US).

Tip: Potential buyers in online auctions should usecaution when paying for purchased items. Examples of recommendedpayment methods include using PayPal, which offers a buyer protectionprogram, and not using instant cash transfer services, such as WesternUnion and MoneyGram.

Due to how convincing this Trojan is, victims are often leftconfused when they realize they have been scammed. The victims' firstreaction to the scam is to contact the auction site for help. Of coursethe auction site will have no record of the transaction since therenever was an auction with that auction ID in the first place.

Tip: Anyone reading this that has been affected by this Trojan should contact their local police department.

The Trojan is in constant contact with the control servers and receives the following information and more on a regular basis:
• fake content to show infected users
• notification of new control servers becoming available
• configuration data about which sites to intercept traffic from
• new executables to run on the infected machine
• ban information (not sure what this is, but if it’s a ban list we’ll probably be on it soon ;-) )

To date we have observed the Trojan trying to contact the following control servers:
• detailsnum.com
• wai-k-mart.com
• onemoreshoot.com
• wal-stop-mart.com
• jdo24nrojseklehfn.com
• superdigitalprices.com
• wmwbc.com
• vam-ars.com
• cameradealsusa.com
• michelleorea.com
• morecamdeals.com
• toamnaiarna.com

The Trojan tries to contact both the .com and .net versions of thesedomains. (For example, detailsnum.com and detailsnum.net, although onlythe .com versions are listed above.)

Tip: Use a firewall to block access to these sites.

The domains that were specifically contacted during this auction were:
• Wmwbc.com
• Vam-ars.com
• toamnaiarna.com
• morecamdeals.com

* Update - 13:39 MDT, November 14, 2007

There may be some Romanian connection to this scam, because two of the domains used in the scam have some meaning in Romanian:
toamnaiarna.com : toamna = autumn, iarna = winter
Vam-ars.com : "V-am ars" means "I burnt you" (which can be taken to mean "I tricked you")

We have seen the group behind Trojan.Bayrob change the Trojan three times in the last week in an effort to avoid detection.

Tip: Please be sure to keep your antivirus definitions up to date.


[1] The Trojan is dynamically configured from the control servers.To date we have observed the Trojan intercepting traffic for thefollowing sites; however, be aware of the fact that this list can beupdated by the controllers at any time:
• my.ebay.com
• cgi.ebay.com
• offer.ebay.com
• feedback.ebay.com
• motors.search.ebay.com
• search.ebay.com
• us.ebayobjects.com
• pages.ebay.com
• pages.motors.ebay.com
• www.carfax.com
• wwwapps.ups.com
• motors.listings.ebay.com
• cgi1.ebay.com
• escrow.com
• my.escrow.com
• ecart.escrow.com
• www.escrow.com

0 Favorited
0 Files

Tags and Keywords

Related Entries and Links

No Related Resource entered.