Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Click-Fraud Attack Is Stealthiest Yet

Posted by kdawson on from the penny-here-penny-there dept.

An anonymous reader sends news from The Washington Post's Security Fix blog of a new Trojan horse program that takes click fraud to the next level. The Trojan, dubbed FFsearcher by SecureWorks, was among the pieces of malware installed by sites hacked with the Nine-Ball mass compromise, which attacked some 40,000 Web sites this month. The Trojan takes advantage of Google's "AdSense for Search" API, which allows Web sites to embed Google search results alongside the usual Google AdSense ads. (SecureWorks' writeup indicates that Yahoo search is targeted too, but the researchers saw no evidence if the malware redirecting Yahoo searches.) While most search hijackers give themselves away on the victim's machine by redirecting the browser through some no-name search engine, FFsearcher "...converts every search a victim makes through Google.com, so that each query is invisibly redirected through the attackers' own Web sites, via Google's Custom Search API. Meanwhile, the Trojan manipulates the victim's PC and browser so that the victim never actually sees the attacker-controlled Web site that is hijacking the search, but instead sees the search results as though they were returned directly from Google.com (and with Google.com in the victim browser's address bar, not the address of the attacker controlled site). Adding to the stealth is the fact that search results themselves aren't altered by the attackers, who are merely going after the referral payments should victims click on any of the displayed ads. What's more, the attackers aren't diverting clicks or ad revenue away from advertisers or publishers, as in traditional click fraud: They are simply forcing Google to pay commissions that it wouldn't otherwise have to pay." If FFSearcher were the only piece of malware on the machine, it would have a better chance of staying under the radar.

14 of 99 comments (clear)

  1. Re:How the server gets infected? by mrbene · · Score: 2, Informative

    The server in the Nine-Ball distribution could be any with an active exploit against it - an "infected" server is just one serving up pages with an iframe to the exploit site, so that site visitors would end up being attacked. Since any web server on any OS can serve up HTML...

  2. Re:How the server gets infected? by Seth+Kriticos · · Score: 5, Informative

    Reading the article helps - there is only one server: my-web-way.com , which is supposedly controlled by the attackers. The whois entry reveals, that it is registered in Moskow, Russia.. probably with a fake name.

    Now to what gets infected: Windows machines. It plays with DLL's and the Registry (described in the article).

    Interesting is: this peace of mallware does not directly (perceivably) damage the user of the infected machine, but it generates revenue through (semi fake) Google ad clicks. I wonder how they (Google) will react.. would guess that big corporations get quite pissed by this kind of stuff. Let's wait and see..

  3. The flaw in their foolproof plan by Dachannien · · Score: 2, Informative

    So, let me get this straight:

    The trojaneers' moneymaking is predicated upon people actually clicking on ads.

    Uh... good luck with that!

    1. Re:The flaw in their foolproof plan by michaelhood · · Score: 5, Informative

      Yeah, good thing no one clicks on Google's ads.

      Google reported $21,128,514,000.00 in ad revenues for FY2008.

  4. Read The Fine Summary by nacturation · · Score: 5, Informative

    Why would they waste their time? Surely there are easier ways to steal from adsense that don't involve putting people at risk...

    Were you just trying for first post, or did you have a point to make? "Why would they [the FFSearcher developers] waste their time?" Because it makes them money and, thus, is not a waste of time at all but rather quite the profitable use of their time. And from the summary, it sounds like FFSearcher does nothing malicious except for redirecting traffic such that it gets referral payments. How is that putting people at risk? And what are these easier-to-steal-from-adsense methods you're referring to?

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
    1. Re:Read The Fine Summary by calmofthestorm · · Score: 3, Informative

      Well, it's not directly harmful, but any malware on a machine is going to open up security vulnerabilities because it will usually:

      1) Act as a rootkit to hide itself
      2) Provide backdoor access

      Either of these can be exploited by a third party. Remember Sony's DRM rootkit? China's Green Dam Youth Escort?

      --
      93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
    2. Re:Read The Fine Summary by Anonymous Coward · · Score: 2, Informative

      The thing is, creator of this most likely is not a single person / group. What most articles fail to mention is that these eastern european/russian money-making schemes are usually affiliate programs itself. Affiliates get paid their percent from revenue from computers they're installed the software to. The affiliate program itself creates the software and handles everything else other than generating installs.

      Even if you happened to catch them, who would you sue? Even the catching part is a major headache, as russian gov does nothing and doesn't have extradition treaty with USA, so you probably wouldn't be seeing them in court anyways.

      Would you sue the affiliate program who only made the software and handled payments from google? As GP said, it probably would be legal in USA too, so theres not much to do on that front.
      Would you sue the affiliate who exploited vulnarebilities and hacked servers? That would be the only option, and even then its one affiliate down and others continue (if you happened to get him extradited to usa court, because frankly, their goverment doesn't seem to care at all)

      There is a reason why so much money-making-scheme malware comes from russia and eastern europe. Its basically a safe haven for adware/malware. Hell, even the conficker creator hasn't been catch yet and he is supposedly from Ukraine (first version of conficker was specifically avoiding ukraine computers). Security community even has one suspected home adsl ip located in Kiev, Ukraine that was used to test a connection from still-yet-to-be-released new variant of conficker, but like pirates usually also point out, ip address doesn't necessarely prove anything.

      There is still major headaches to just "sue" them and the fact they live in Russia is not the smallest, and click-frauds and such dont generally create much publicity and almost never goverments get involved in such. Hell, even when I've sent abuse reports to their hosting companies, nothing happens.

  5. Next step, bank accounts by mlts · · Score: 2, Informative

    This reminds me of the concern about bank fraud that IBM made the ZTIC device to help mitigate.

    First, the attack is click fraud, but its not that large a jump to target bank transactions. The malware can target a Web browser where a person thinks they transferred some cash to their savings from their checking, when in reality, their entire balance was just moved to an attacker's offshore account. The malware would be doing a man in the middle dance making the victim think that everything is fine, when in reality their account is empty.

    This type of attack would get around a lot of security measures used by banks today. The only real defense would be to have a separate device that shows transactions on it and one confirms or denies on that device as opposed to a potentially compromised computer.

  6. Re:Does this affect all browsers? by zarzu · · Score: 4, Informative

    the washington post article doesn't give you any more information than the summary, you should be reading the trojan analysis which is linked in both the summary and the article.

  7. Re:How the server gets infected? by nacturation · · Score: 2, Informative

    The goal is to get some website to distribute your payload, which consists of specially crafted HTML code. This can be done by simply posting a comment on any webpage which accepts and retransmits arbitrary HTML. Or it could be done by exploiting a bug in IIS, Apache, or other webserver software so that the original site serves up your payload. Or you could hack Windows or Linux to get the webserver to use your payload. The payload then exploits any number of browser bugs, whether Firefox, IE, or another browser to install software automatically into Windows when the victim visits a compromised website.

    --
    Want to improve your Karma? Instead of "Post Anonymously", try the "Post Humously" option.
  8. Re:Shut Down the Adsense Account? by zarzu · · Score: 2, Informative

    i don't think anything is keeping them from it, it's probably the first thing they did or are going to do. the problem is that they need to track the configuration of the trojan (which can be updated remotely) and keep shutting down accounts of the new search sites. it would be far more convenient if they had a possibility to determine click fraud by analyzing their stats, which is very difficult this way, as the fraud essentially looks the same as normal behavior. not having that option increases their work and increases the probability that there are different trojans running which they aren't aware off.

  9. Re:Does this affect all browsers? by jesser · · Score: 3, Informative

    Firefox and IE are the targets of the trojan once it already has control over your computer. That doesn't mean they are "vulnerable" or are in need of patches.

    Only the last link in the Slashdot article discusses how these attackers gained control over your computer:

    After redirection, the exploit payload site returns highly obfuscated malicious code. The malicious code attempts to exploit MS06-014 (targeting MDAC) and CVE-2006-5820 (targeting AOL SuperBuddy), as well as employing exploits targeting Acrobat Reader and QuickTime. The MS06-014 exploit code will download a Trojan dropper with low AV detection rate. This dropper drops a dll with the name SOCKET2.DLL to Windows' system folder. This file is used to steal user information. The malicious PDF file, served by the exploit site, also has very low AV detection rate.

    So, basically an IE hole that was fixed in 2006, plus a handful of plugin vulnerabilities. They didn't even bother looking for an old Firefox vulnerability to exploit, perhaps because too many Firefox users are up-to-date.

    --
    The shareholder is always right.
  10. Re:Does this affect all browsers? by Jahava · · Score: 5, Informative

    The virus itself is a complicated one. As per the article, it was installed on the system during a mass exploit dubbed Nine-Ball, which was loaded onto 40,000 legitimate websites. Visiting those sites caused the Nine-Ball script to execute, which redirected an iframe to a page containing malicious code which mounts a series of attacks. Those mentioned by the site are:

    • Exploit MS06-014, which targets the MDAC ActiveX control
    • Exploit CVE-2006-5820, which targets the AOL SuperBuddy ActiveX control
    • [Some] targeting Acrobat Reader"
    • [Some targeting] QuickTime

    So basically, an application (browser) visits this malicious page. If that application runs the ActiveX controls mentioned (and presumably Acrobat Reader and/or QuickTime), it was vulnerable to the initial Nine-Ball exploit. IE qualifies for all 4 of those; Firefox can use ActiveX (I believe, with a plugin), but not out of the box... however, it does have plugins for Acrobat Reader and QuickTime.

    If any of those vulnerabilities were present with the applicaton visited the iframe, it runs malicious code that installs a crapton of viruses on the host computer, among them the FFSearcher virus.

    Once FFSearcher is on your computer, it causes itself to get run all of the time, probably as Administrator. It then proceeds to:

    1. Executes a Windows root-kit to hide its presence
    2. Injects code into browser application processes; for IE, it will inject an IE-specific payload, and for Firefox, it will inject a Firefox-specific payload. Each payload causes the infected browser to do all the malicious redirecting that is described in lower-level detail in the article.

    So a nice, clean, and secure IE / Firefox get started up, but Windows, itself infected, loads the virus into them! No vulnerabilities are exploited, here. Since FFSearcher runs as Administrator, everything it does is straightforward and allowed by the system; it can do basically anything. What it chooses to do is target IE and Firefox. Since it's running as Administrator, it doesn't have to exploit any vulnerabilities in either; it just barges in and rewrites parts of them to do its bidding. Administrator can do things like that.

    In conclusion, there isn't any vulnerability in IE or Firefox that's involved in FFSearcher, and the only reason FFSearcher doesn't pwn other browsers is because the author didn't bother to write a payload for them, too. FFSearcher, itself, was installed due to some browser vulnerability that happened sometime, and now, permanently present on the system, takes advantage of its Administrator privileges to do some pretty wicked stuff.

  11. Re:How the server gets infected? by sexconker · · Score: 2, Informative

    Ads.
    Sites host ads.
    People buy ads through ad placement companies like Google.
    Bad people engineer ads to contain the exploit and payload.
    Site serves up bad ad.
    Users of site get fucked.

    It's always the fucking ads.