# Bedep Ad-Fraud Botnet Analysis – Exposing the Mechanics Behind 153.6M Defrauded Ad Impressions A Day

**sentrant.com/2015/05/20/bedep-ad-fraud-botnet-analysis-exposing-the-mechanics-behind-153-6m-defrauded-ad-**
impressions-a-day/index.html

Posted by Sergei Frankoff 20 May
0 Comments

[Following on from our post on Angler EK we are going to expose the mechanics behind the](https://sentrant.com/2015/05/12/briefing-angler-exploit-kit/index.html)
Bedep ad-fraud malware. Recently Bedep has been observed as the payload dropped by the
Anger EK in a series of **[malvertising campaigns. These campaigns have lead to a rapid](https://blog.malwarebytes.org/exploits-2/2015/01/top-adult-site-xhamster-victim-of-large-malvertising-campaign/)**
[rise in the rate of Bedep infections, with Arbour Networks observing just above 80K](http://www.arbornetworks.com/asert/2015/04/bedeps-dga-trading-foreign-exchange-for-malware-domains/)
infections over a 3-day period.

Bedep has the ability to load multiple custom modules after infecting a host. In this briefing,
we will examine Bedep’s ad-fraud module and provide insight into how traffic from this bot is
laundered into the advertising ecosystem and used to defraud advertisers.

Bedep’s ad-fraud module is fairly sophisticated but it’s not as advanced as some of the adfraud bots we have analyzed, for example Kovter. It has features to circumvent current adfraud detection capabilities such as user behaviour emulation and referrer spoofing. With
these features, the bot is successful in defrauding advertisers on various sites, including ads
from some large advertisers such as American Express, British Airways, **BMO, and Ford**
on reputable exchanges such as Google’s doubleclick.


-----

## Bedep Traffic in The Advertising Ecosystem

While the topic of how bot traffic is introduced into the advertising ecosystem is complex, we
are going to use Bedep as an example to illustrate one of the more common ways that bot
traffic is laundered into the ecosystem before it is used to defraud advertisers.

Modern ad-fraud bots don’t directly click on ads as many may expect. Instead they use low
quality PPC exchanges to route their traffic to publishers who pay these exchanges for traffic.
Once the bot lands on the publisher’s site, it automatically defrauds all the ad impressions on
the site (and in some cases the video ads as well). The publisher has little incentive to block
this traffic as they are still being paid for the impressions, and likewise the low quality PPC
exchange has little incentive not to pay the bot masters as the publishers are paying them.
We want to be clear; neither the publishers nor the low quality PPC exchange may be
knowingly supporting the bot traffic, however, as long as they are still being paid there is little
incentive for them to investigate where the traffic originates.

Modern Traffic Laundering

Bedep uses multiple PPC exchanges backed by thousands of publishers to launder its traffic.
We have simply chosen one example to illustrate the full laundering chain.

We start with the PPC URL that is sent from the ad-fraud module’s command and control
server (C2). Here we see it redirects to the domain c.feed-xml.com which is a PPC feed for
the **[VertaMedia PPC exchange.](http://vertamedia.com/)**


-----

Bedep C2 Click URL directing browser to VertaMedia exchange

Next the VirtaMedia exchange redirects the bot another PPC exchange this time hosted by
**[eZanga. We see something interesting here, the Virta Media exchange has added the](http://www.ezanga.com/)**
following search parameters to the eZanaga request
“heavy+truck+insurance+home+carpet+cleaners”.

Bedep browser is redirected from VirtuMedia exchange to eZanga exchange

Finally eZanga redirects the bot to a publisher’s site virtustyle.com.


-----

eZanga redirects Bedep browser to publisher virtustyle.com

Once the Bedep Ad-Fraud bot is finally redirected to the publisher’s site virtustyle.com, it
loads the site and defrauds all of the impression ads. Some of the exchanges that are
serving ads on virtustyle.com are:

AdRoll
Conversant Media
Criteo
Vibrant Media

In our lab we observed a single Bedep bot load, on average, one website a minute. This is
due to the multiple threads that the Bedep operates, each running a seperate browser
instance. If we use the botnet size observed by Arbor as 80K bots and assume that each
infected machine is only operational for 8 hours a day, it means the Bedep botnet is visiting
**38.4M websites each day. To better estimate the impact of this fraud we can take a**
conservative estimate of 4 ads per page which gives us a minimum of 153.6M defrauded ad
**impressions a day. In our lab we observed Bedep loading multiple websites that used ad-**
stuffing to load hundreds of ads at a time. As a result we would expect the real number of
defrauded ad impressions to be a multiple larger than our 153.6M/day estimation.

## The Bedep Bot


-----

The loader portion of Bedep is the initial malware that is installed after a host is infected. The
loader is responsible for setting up persistence on the infected host and downloading
additional malware modules to monetize the infected host. The loader’s downloaded
payloads come in both 32bit and 64bit versions depending on the operating system of the
victim.

Like most current malware, the loader code has been designed with some light anti-analysis
tricks, the most frustrating of which is the fact that all strings are encrypted. We have
[released a string decryption tool on our github to assist with the decryption of these strings.](https://github.com/Sentrant/MiscTools/tree/master/bedep)
Once the strings have been decrypted the logic of the loader is fairly straight forward; it
installs a persistence mechanism then calls out to its command and control server (C2) to
download and run the monetization module (in this case an ad-fraud module).

## Persistence

When the loader is run it creates a hidden folder with a UUID the %PROGRAMDATA%. It
then copies itself to the folder as a DLL using a benign sounding name, in this case
**FntCache.dll.**

Bedep hidden folder and persistence DLL

For persistence, the loader creates a special Shell Extension for the current user that loads
this DLL.

The server to run the malicious loader DLL is located in the registry here:

**HKU\<User SID>\Software\Classes\CLSID\{F6BF8414-962C-40FE-90F1-**
**B80A7E72DB9A}\InprocServer32**

The Shell Extension is registered to the current user here:

**HKU\<User SID>\Software\Classes\Drive\ShellEx\FolderExtensions\{F6BF8414-962C-**
**40FE-90F1-B80A7E72DB9A}**


-----

Bedep Shell Extension persistence mechanism

## Loader C2 Communication

The Bedep loader uses a domain generation algorithm to dynamically generate the domain it
[is going to connect to. The folks over at Arbor have provided an excellent article explaining](http://www.arbornetworks.com/asert/2015/04/bedeps-dga-trading-foreign-exchange-for-malware-domains/)
how the DGA works and they even provided a tool to re-generate the domains. Instead of
posting the same information here we suggest you head over and read their report.

The C2 traffic itself is composed of a series of POST messages that contain encrypted
messages.

Bedep C2 traffic example

After analyzing the algorithm used to encrypt the message we determined that it was a
custom implementation of AES that used a 16 byte key (AES128). The key is encrypted and
hard coded in the binary. The developers had also cleverly encrypted the AES s-box in an
attempt to make analysis of the algorithm more difficult. The IV used in the AES encryption is
randomly generated for each request and prepended to the cypher text after encryption. The
IV plus cypher text is then base64 encoded and sent as the message in the POST.


-----

Bedep encryption algorythm

[We have released a tool that can be used to decrypt Bedep traffic on our Github.](https://github.com/Sentrant/MiscTools/tree/master/bedep)

The actual messages that are sent from the Bedep loader to the C2 are formatted JSON
while messages that are returned by the C2 are delimitated by the ‘#’ character and are
specific to the request sent by the bot. The command set used in the communication
consists of the following.

### Message Header

**Attribute** **Description**

protocolVersion The version of the communication protocol. This is hard coded in the
bot. This parameter must always be present in the request.

rev Bot revision. This is hardcoded in the bot. This parameter must always
be present in the request.

buildId Build ID for the bot. This is hardcoded in the bot. This parameter must
always be present in the request.


-----

botId This is a unique ID that is assigned to the bot by the C2 on first
communication. This parameter must be present in all requests after the
initial communication.

tags Tags is an array that contains the commands.

### Command Set

**Attribute** **Description**

ping This is the first command that is sent by the bot to establish communication
with the C2. The C2 responds with ID assigned to the bot.

zoo This command is used to download a set of DLLs. Currently we have not
investigated the purpose of these DLLs.

update This command is used to download and run the Bedep payload. In this case
the ad-fraud module.

stat This command is used to upload statistics on a specific job or command that
the bot is executing.

We recently noticed a slightly new variation on the traffic format for Bedep where the
encrypted message is split over a series of parameters in the POST message. These new
requests also have URL paths generated from the following strings (thanks to Moritz Kroll for
posting the full list to VirusTotal).


-----

```
functions_picturecomment.php

functions_online.php

functions_notice.php

functions_newpost.php

functions_misc.php

functions_log_error.php

functions_login.php

functions_legacy.php

functions_infractions.php

functions_forumlist.php

functions_forumdisplay.php

functions_filesystemxml.php

functions_file.php

functions_faq.php

functions_facebook.php

functions_external.php

functions_editor.php

functions_digest.php

functions_databuild.php

functions_cms_layout.php

functions_calendar.php

functions_bigthree.php

functions_banning.php

functions_attach.php

functions_album.php

functions_ad.php

functions.phÿ

database_error_page.html

database_error_message_ajax.html

database_error_message.html

class_dm_groupmessage.php

class_dm_forum.php

class_dm_event.php

class_dm_discussion.php

class_dm_deletionlog_blog.php

class_dm_deletionlog.php

class_dm_cms_widget.php

class_dm_cms_layout.php

class_dm_blog_trackback.php

class_dm_blog_rate.php

class_dm_blog_custom_block.php

class_dm_blog_category.php

class_dm_blog.php

class_dm_attachment.php

class_dm_album.php

class_dm.php

class_dbalter.php

class_datastore.php

class_database_slave.php

class_database_explain.php

class_core.php

class_bootstrap_framework.php

```

-----

```
class_bootstrap.php

class_blog_response.php

class_blog_entry.php

class_block.php

class_bitfield_builder.php

class_bbcode_blog.php

class_bbcode_alt.php

class_bbcode.php

class_apiclient.php

class_akismet.php

class_ajax_output.php

blog_init.php

blog_functions_shared.php

blog_functions_search.php

blog_functions_post.php

blog_functions_online.php

blog_functions_main.php

blog_functions_category.php

blog_functions.php

xmlsitemap.php

widget.php

showthread.php

showpost.php

sendmessage.php

search.php

report.php

register.php

profile.php

postings.php

posthistory.php

poll.php

online.php

newthread.php

newreply.php

misc.php

memberlist.php

member.php

login.php

list.php

infraction.php

groupsubscription.php

group.php

global.php

forumdisplay.php

css.php

converse.php

content.php

blog_post.php

blog_attachment.php

blog_ajax.php

attachment.php

assetmanage.php

```

-----

```
announcement.php

clear.php

asset.php

ajax.php

album.php

calendar.php

blog.php

forum.php

index.php

include

```
To use our decryption tool with this new format of traffic you simply need to extract all the
values from the parameters passed in the message body and concatenate them into a single
string.

New Bedep C2 traffic example

The values from the parameters in the request shown above have been extracted and
combined into the base64 string shown below. Once extracted and combined in this fashion
the string can be decrypted using the tool we released.

Extracted Bedep base64 string

## Bedep Ad-Fraud Module

The Bedep Ad-Fraud module that is downloaded via the “update” comes in both 32bit and
64bit versions. This module does not persist on the host and is downloaded when the Bedep
loader is started after a reboot. The Bedep loader uses process hallowing to inject the AdFraud module into benign processes.


-----

Processes injected with Bedep ad-fraud module

During operation, the Ad-Fraud module receives URLs of sites to browse from its command
and control (C2) server. It then opens a hidden instance of an embedded Internet Explorer
browser and programatically directs the browser to load the URLs it has received. We will
explain this process in detail below.

## Hidden Browser Setup

In order to hide its activity from users of the infected host the module creates a virtual
desktop that is uses to house all of its windows. More information on virtual desktops and a
[tool used to display them can be found in this blog post. In this case the module creates a](http://herrcore.blogspot.ca/2014/11/exposing-malware-in-hidden-desktops.html)
desktop called Default IME and then moves its process to this desktop.

Bedep creates a virtual desktop called “Default IME”

In addition to using a virtual desktop to hide the presence of its browser windows the AdFraud module also sets a number of in-line hooks in its process space to suppress events
that might notify a user that there is a hidden browser running on their host.


-----

Bedep hooks to hide browser

The PlaySound and waveOutOpen hooks simply null out the functions and serve to
suppress any sounds that might be generated by the Ad-Fraud module’s browsing, such as
the audio from videos. The SetFocus and DialogBox hooks also null out the functions but
they serve to suppress any visual queues that might indicate the presence of a hidden
browser, such as pop-ups.

In parallel with the hooks the module also sets a number of registry keys to configure the
behaviour of the embedded Internet Explorer browsers that it controls. This configuration is
both an attempt to suppress events that might notify a user of the operation of the browsers
and also an attempt to make the embed Internet Explorer browser behave similar to a real
Internet Explorer browsers. When the Internet Explorer browser is embedded and controlled
programatically some of its features differ from those of a real Internet Explorer browser. A
subset of these features can be detected by anti-fraud solutions as a way to detect bot traffic.
To circumvent these detection methods the Bedep Ad-Fraud module sets these registry keys
to ensure its embedded browsers have the same features as a real Internet Explorer
browser.


-----

## Ad-Fraud C2 Communication

One of the more peculiar aspects of the Bedep Ad-Fraud module is that its C2
communications are not encrypted. Given the level of sophistication in the Bedep loader C2
encryption it is surprising to see that the Ad-Fraud C2 traffic is sent in clear text.

Bedep Ad-Fraud module C2 traffic

As shown above the C2 sends a URL to load along with some attributes for the ad-fraud
module to spoof in its embedded Internet Explorer browser.

**Click Attribute** **Example**

Click URL http://[censored]/r.php?key=[censored]

Spoof Referer http://new-april-discount.net/search.php

Spoof User Agent Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64;
Trident/6.0)


Spoof
Language/Location


en-US


## Click URL Navigation

Before navigating to the click URL the Ad-Fraud module creates another set of hooks to
spoof the Language/Location and other attributes.

Bedep hooks to spoof User Agent and Language/Location


-----

Bedep uses its API hooks to spoof these values for its whole process space which means it
doesn’t need to deal with the mechanics of where these values might be queried (ie.
javascript, browser, flash, etc). This makes Bedep’s feature spoofing more robust than some
less advanced ad-fraud bots. The referer URL is spoofed by setting it directly using the
embedded Internet Explorer control API.

Once the click URL has been loaded in the embedded browser the Ad-Fraud module uses
some simple browsing behaviour emulation techniques in an attempt to trick any fraud
detection service. An example of this behaviour is some random mouse movement and left
clicking.

Bedep example of random mouse move and click

In addition to the behaviour emulation, the ad-fraud module also injects javascript that
attempts to play any flash videos on the page.

Bedep inject javascript to automatically play flash videos

## Conclusions


-----

While not the most advanced ad-fraud bot available Bedep represents a new type of
advance ad-fraud threat that is actively circumventing traditional ad-fraud detection and
defrauding high quality impressions from well established exchanges.

While we are actively working with our partners to identify and eliminate Bedep ad-fraud
traffic from the advertising ecosystem, we need help from security vendors and incident
responders to detect and remove this threat from endpoints. Our hope is that our report and
accompanying tools will be of assistance.

We have intentionally removed some of our analysis from this report because it;

may have given the malware developers insight into how we are able to detect this bot
and/or,
we believe it was not necessary information from an incident response perspective.

That being said, if you have any questions about our analysis or would like to know more feel
free to **[contact us. We are happy to share more information privately.](https://sentrant.com/contact/index.html)**

## Prior and Parallel Research

Kafeine has an excellent overview of Angler and Bedep. Also contains a note on Bedep’s
persistence mechanism.

**http://malware.dontneedcoffee.com/2015/01/unpatched-vulnerability-0day-in-**
**flash.html**

Arbor have an excellent analysis of the Bedep DGA and they also released a tool to replicate
it.

**http://www.arbornetworks.com/asert/2015/04/bedeps-dga-trading-foreign-exchange-**
**for-malware-domains/**

Spider labs have a report detailing some of the ad-fraud traffic they observed.

**https://www.trustwave.com/Resources/SpiderLabs-Blog/Bedep-trojan-malware-**
**spread-by-the-Angler-exploit-kit-gets-political/**

Malwarebytes have a post explaining how Bedep is tied to recent malvertising attacks.

**https://blog.malwarebytes.org/exploits-2/2015/01/top-adult-site-xhamster-victim-of-**
**large-malvertising-campaign/**

Zscaler also have a post covering Bedep related malvertising attacks.

**[http://research.zscaler.com/2015/01/malvertising-leading-to-flash-zero-day.html](http://research.zscaler.com/2015/01/malvertising-leading-to-flash-zero-day.html)**


-----

## Reference MD5 Hashes

Click Module: 2faf2044e18837d23aa325cb21f17c4b

Loader DLL (persistence): 46df78cf0eea2915422d84928dbc2462

Loader DLL (from Angler EK): 854646bdcf4da69c975dd627f5635037


-----