Click-Fraud Trojan Politely Updates Flash On Compromised Computers

jfruh writes: Kotver is in many ways a typical clickfraud trojan: it hijacks the user's browser process to create false clicks on banner ads, defrauding advertisers and ad networks. But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.

Alternate reason?

[ArcadeMan]

But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.

Or maybe it just wants to make sure that all ads are shown so that it can click on them.

Re:Alternate reason?

[meerling]

It's just protecting it's turf.
"This here's my #$&^!, you all go find a different one!" :P

Re:Cowbird defense

[gstoddart]

Bah, tinfoil hat defense ... uninstall Flash on the premise it's full of security holes and is waste of time.

It always has been.

I don't trust most sites to set cookies or run Javascript ... run Flash?

No fucking way.

Net positive?

[Krishnoid]

Not just "similar" malware, but anything that has a patched-to-date Flash infection vector. It might actually slow the spread of malware, while decreasing its own ability to spread, at least by that mechanism. And finally, when it's found and purged, the infected systems are somewhat more secure.

Not saying this is a good idea, but it seems that if it spread enough, it could decrease infectable targets in the short-term, maybe drastically?

Re:Net positive?

There used to be a virus that patched broken IIS servers back in 90s and early 2000. One more for the road?

Re:Net positive?

[techno-vampire]

No, it has no effect on its own ability to spread, because it only updates Flash on machines it's already infected.

Secure Flash?

Isn't "secure Flash" an oxymoron? Is there a "secure" version of Flash? Isn't that why we are migrating to HTML5 instead?

Re:Secure Flash?

[TWX]

If the HTML5 implementations were conceived of as quickly as Flash exploded, my guess is that they're no more secure. The only difference is that people haven't started exploiting all of the bugs yet.

Re:Secure Flash?

Sure, but there is only one supplier of flash, who doesn't bother fixing the bugs. It is closed-source, so you can't even volunteer to help.

But HTML5 is not software, it is a spec. If you don't like, say, microsofts implementation, then you are free to roll your own or install some competing product. All browser vendors have their own html5 - pick a good one.

Canadian!

It's fucking Canadian malware!

Mixed Feelings

I'm not sure how to feel about this. On the one hand, yes, trojans are bad. But on the other hand, anything that negatively impacts advertisers can't be all that bad.

Re:Mixed Feelings

"Let's kill all advertising ..."
I have no problem with this. If it means going back to pre-1995 Internet content, but with the modern tech that we have now, I have no problem with that either.
It's really irritating that the Ad Men think that the World revolves around them, and their various deceitful schemes. It doesn't.
I bought my first house, my first yacht, and my first Ferrari, all without the distraction of Internet advertising. The same goes for my first computer, my first test equipment, and my first girlfriend.
Yes, I did buy a Powerbook G4 off of the Apple website once, but I already knew all about it- we used a _lot_ of them at work, and I got a discount.

"Wouldn't it be great, not to know about anything people are trying to create for you?"
Yes, it would. If it's any good, I'll find out about it eventually. I'm a Divvy.
I don't give a damn about something stupid that "...people are trying to create..." for me. I don't care to spend the time researching _anything_ that is "Market Driven".

Re:Mixed Feelings

[ArcadeMan]

A lightweight static image with a link to the product page? Sure.

A multiple-files-download, drag-down-my-CPU dynamic HTML5 ad? Fuck you.
An auto-playing video ad? Fuck you too.

Re:Mixed Feelings

I bought my first house, my first yacht, and my first Ferrari, all without the distraction of Internet advertising. The same goes for my first computer, my first test equipment, and my first girlfriend.

Your first girlfriend's low cut blouse was an advertisement.

The problem with ads online isn't the fact that they exist vs. not existing. It is the pervasiveness, literal bombardment and danger of them.

An analogy would be a girl wearing a low cut blouse - this says "hey, look at me - I'm on the market." That (non intrusive, 'just there but not engineered specifically to generate unconscious clicks') is fine.

This is far different than millions of women (ads), statistically likely to fuck you over, shoving their uncovered boobs in your face like it or not saying "fuck me - I want you.", legally justified in saying that because you walked into the bar where said exposed boobs are present and that it was you that made the first and forceable move (by visiting a given site) then making the argument that you raped them (clicked on) when you have a problem you ended up with an STD (virus/trojan/other).

Women are used only and analogy to continue the OP's point.

I think there is a point where TOS and user responsibility isn't valid when it contradicts the very instinctual human behavior being counted on by the website (ie - 'bar' or other 'social establishment'). Especially when the average user is like a naive virgin that does want to get laid but is being take advantage or because they don't understand the cost/benefit ratio.

Bottom line: internet advertising needs to clean up it's own shop. If it is to be trusted, THEY need to POLICE their own. If they don't, then they are harming themselves. They have no responsibility of course but it is in their own best interest to help weed out bad actors. If they don't then all actors are assumed to be suspect.

JailBreakMe.com

[tlambert]

JailBreakMe.com did a similar thing on iPhones: patched the tiff library exploit that it used to get on the phones in the first place, making it impossible to re-exploit.

I did the same thing with the Commodore Amiga in 1985, modifying a boot virus to include a payload that would patch the MOVE from processor SR. This let me install a 68010, which let me run SVR3 on the thing, without breaking a lot of popular software like Magic Sack and Transformer, both of which used the privileged version of the instruction for no good reason.

Politely?

[Nemyst]

The trojan "politely" updates Flash? How would you do that "impolitely", exactly, by flashing a bunch of obscenities while updating Flash in the background?

how is this unusual?

[bloodhawk]

how is this unusual behaviour? perhaps the author needs to get out more. this has been a well used approach by various hacking groups and malware for a long time to maintain exclusivity to compromised machines.

Re:The real question

[TheRealQuestor]

The real question is if it installs the McAfee, and if it doesn't anybody can point me out where can I get infected?

There is no McAfee anymore. Intel bought them a while back and now they are re-branded Intel Security.
http://www.mcafee.com/us/about...

This is not news!

[Demonoid-Penguin]

It could have been news - if you told us what novel exploit it used, who benefited, and how. That would have been news - and interesting.
But no - you had to put lipstick on a pig and try and flog the wedding night videos.

Malware has been doing the same thing for a long time - closing the weaknesses it used for access. The only thing that sounds new is the "reporting" slant. Politely. WTF - does it say "excuse me"? [sigh]

Samzenpuss - stop posting this shit please. (see that's polite).

jfruh - stop submitting this click-bait slanted crap, please. e.g. "Japanese And U.S. Piloted Robots To Brawl For National Pride". All you had to do was say "fighting robots" and more people would have read the story - no need for the Fox News histrionics. Stop acting like a whipped dog trying to get your "stories" published. You just embarrass yourself.

Thanks for lowering the standard.