Bitdefender’s Cybercrime Investigation Unit analysed the disk images of the servers used to distribute ICEPOL Trojan in cooperation with the Romanian National Police. The servers, located in Bucharest, Romania, were seized by the authorities, and the information retrieved was analysed together with Bitdefender as part of a technical cooperation program.
Between 1st May and 26th September 2013, the server had logged 267,786 successful installs of the ICEPOL Trojan. The USA and Germany were most affected by the infections with 42,409 and 31,709 installs respectively.
The overall number of machines infected worldwide is likely to be even higher, as this server was one of dozens distributing the ICEPOL Trojan, and the analysed network continued to operate after this particular server was taken offline for study purposes.
The ICEPOL Trojan extorted victims who downloaded it by sending them a message in any one of 25 languages purporting to be from police accusing them of downloading copyrighted material or illegal pornography. It then locked their desktop and demanded a payment in return for unlocking it.
Catalin Cosoi, Chief Security Strategist at Bitdefender, comments: “As our analysis demonstrates, the criminal underworld seems to have developed malware distribution networks (MDNs), which work much in the same way as legitimate CDNs, even down to the money-making referral and syndication schemes.”
The component responsible for registering malware distribution domains, called xstats, generated domain names on demand, by linking four words from a dictionary containing 551 pornography-related words. The IP address of the new host was then chosen from a list of 45 unique IP addresses.
The pay-per-click module, named tds, simply redirects incoming traffic to a list of domains, presumably paying advertisers or other trojan distribution sites. The traffic is directed according to an administrator-set list of filter rules, such as country of origin, operating system, browser type or maximum number of clicks allowed.
Bitdefender’s analysis found that some of the traffic originated from several pornographic websites, in a so-called traffic exchange scheme.