Click-Fraud Trojan Politely Updates Flash On Compromised Computers

jfruh writes: Kotver is in many ways a typical clickfraud trojan: it hijacks the user's browser process to create false clicks on banner ads, defrauding advertisers and ad networks. But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.

Alternate reason?

[ArcadeMan]

But one aspect of it is unusual: it updates the victim's installation of Flash to the most recent version, ensuring that similar malware can't get in.

Or maybe it just wants to make sure that all ads are shown so that it can click on them.

Re:Alternate reason?

[meerling]

It's just protecting it's turf.
"This here's my #$&^!, you all go find a different one!" :P

Re:Cowbird defense

[gstoddart]

Bah, tinfoil hat defense ... uninstall Flash on the premise it's full of security holes and is waste of time.

It always has been.

I don't trust most sites to set cookies or run Javascript ... run Flash?

No fucking way.

Net positive?

[Krishnoid]

Not just "similar" malware, but anything that has a patched-to-date Flash infection vector. It might actually slow the spread of malware, while decreasing its own ability to spread, at least by that mechanism. And finally, when it's found and purged, the infected systems are somewhat more secure.

Not saying this is a good idea, but it seems that if it spread enough, it could decrease infectable targets in the short-term, maybe drastically?

Re:Net positive?

[techno-vampire]

No, it has no effect on its own ability to spread, because it only updates Flash on machines it's already infected.

Secure Flash?

Isn't "secure Flash" an oxymoron? Is there a "secure" version of Flash? Isn't that why we are migrating to HTML5 instead?

Canadian!

It's fucking Canadian malware!

Mixed Feelings

I'm not sure how to feel about this. On the one hand, yes, trojans are bad. But on the other hand, anything that negatively impacts advertisers can't be all that bad.

Re:Mixed Feelings

[ArcadeMan]

A lightweight static image with a link to the product page? Sure.

A multiple-files-download, drag-down-my-CPU dynamic HTML5 ad? Fuck you.
An auto-playing video ad? Fuck you too.

JailBreakMe.com

[tlambert]

JailBreakMe.com did a similar thing on iPhones: patched the tiff library exploit that it used to get on the phones in the first place, making it impossible to re-exploit.

I did the same thing with the Commodore Amiga in 1985, modifying a boot virus to include a payload that would patch the MOVE from processor SR. This let me install a 68010, which let me run SVR3 on the thing, without breaking a lot of popular software like Magic Sack and Transformer, both of which used the privileged version of the instruction for no good reason.

Politely?

[Nemyst]

The trojan "politely" updates Flash? How would you do that "impolitely", exactly, by flashing a bunch of obscenities while updating Flash in the background?

This is not news!

[Demonoid-Penguin]

It could have been news - if you told us what novel exploit it used, who benefited, and how. That would have been news - and interesting.
But no - you had to put lipstick on a pig and try and flog the wedding night videos.

Malware has been doing the same thing for a long time - closing the weaknesses it used for access. The only thing that sounds new is the "reporting" slant. Politely. WTF - does it say "excuse me"? [sigh]

Samzenpuss - stop posting this shit please. (see that's polite).

jfruh - stop submitting this click-bait slanted crap, please. e.g. "Japanese And U.S. Piloted Robots To Brawl For National Pride". All you had to do was say "fighting robots" and more people would have read the story - no need for the Fox News histrionics. Stop acting like a whipped dog trying to get your "stories" published. You just embarrass yourself.

Thanks for lowering the standard.