June saw more than its fair share of mass-compromised websites—with one wave early in the month and Nine Ball hitting later on in the month. One would hope that July would be different, but it was not to be.

Last week saw another wave of compromised websites that had one thing in common—they were all running ColdFusion on their servers. ColdFusion is a popular platform for developing Internet applications. It is currently owned by Adobe. Users blamed the effectivity of this attack on older versions of certain ColdFusion applications that sported security vulnerabilities and allowed malicious users to upload code to run on already-compromised servers. Cybercriminals then modified the compromised sites to include iframe links to malicious websites.

As with previous attacks, these compromised websites download a malicious file Trend Micro detects as TROJ_DROPPER.PXQ onto the affected system. This file then drops and runs another file detected as TROJ_DLOADR.XNI, which in turn, downloads and executes files detected as TROJ_WIMPIXO.BG and TROJ_SOMEX.C.

Just like the other attacks, the end goal of this particular wave is to steal user information. However, the files in question are already detected by Smart Protection Network.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!

Earlier this month, TrendLabs security experts discovered that around 40,000 websites have been hacked and seeded with code that bombarded visitors’ PCs with countless browser exploits to install a Trojan, which we already detected as TROJ_FFSEARCH.A. This Trojan has been found to be among the malware installed by another threat. It is known as FFSearcher, named after one of the websites used in the scam, ffsearcher.com.

Click fraud has become a rapidly growing problem for legitimate companies and advertising networks as it inflates online advertising costs. In the past few years, cybercriminals have been using malicious software to perpetrate click fraud. They hijack search results displayed by engines whenever a user tries to find something online. Unfortunately, these scams can be unwieldy, as victims often quickly figure out that something is wrong when their searches are redirected to unfamiliar portals.

Click fraud Trojans are as old as Internet advertising itself. These usually come in one of the following two types:

• Browser hijackers that change a user’s start page and searches to redirect to a third-party search engine
• Trojans that silently pull down a list of advertising URLs and generate fake clicks on the ads in a hidden Internet Explorer window

The new Trojan, however, differed, as every click on an advertisement is user generated. The user does not even notice any change in his or her Web-browsing activities.

This Trojan may also be unknowingly downloaded by a user while visiting malicious websites. It executes and attaches an NTFS Alternate Data Stream (ADS) to a legitimate system file. It then deletes the .EXE file after execution to prevent detection and consequent removal, leaving the ADS in place. Afterward, it connects to a remote URL to download its configuration file. Once done, it monitors the user’s Web-browsing activities and redirects searches in Google to the website found in the downloaded configuration file.

Trend Micro product users need not fret though as Smart Protection Network already protects their systems from this threat.